- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Thu, 4 Feb 2010 19:48:07 -0500
On Thu, Feb 4, 2010 at 12:44 PM, Michal Zalewski <lcamtuf at coredump.cx> wrote: > The same argument could be made for not escaping <, but I don't think > it's valid in practice - particularly for (hypothetically) constrained > input fields. The use-cases for srcdoc are only where you expect HTML input. HTML input is very likely to contain " or '. By contrast, ordinary XSS usually occurs when < is unlikely to occur in legitimate input, so you won't spot it right away -- as you say, constrained input fields. Why would anyone, even someone who's extremely confused and/or ignorant, even *attempt* to use srcdoc to contain anything other than HTML?
Received on Thursday, 4 February 2010 16:48:07 UTC