- From: Orion Adrian <orion.adrian@gmail.com>
- Date: Mon, 21 Aug 2006 09:17:51 -0400
- To: "HTML Mailing List" <www-html@w3.org>
On 8/21/06, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:
> * Orion Adrian wrote:
> >> > <div id="comment123" nocode="true">
> >>
> >> I'm afraid that this would be too easy to bypass:
> >>
> >> <div id="comment123" nocode="true">
> >> $comment
> >> </div>
> >>
> >> $comment = '</div><script ...';
> >
> >Not if you required the comments to be well-formed by themselves.
>
> Here is a "well-formed" comment:
>
> +ADw-/div+AD4-+ADw-script+AD4-alert('pwnd')+ADw-/script+AD4-...
>
> If the document does not declare an encoding and the comment is placed
> appropriately in the document, this will likely cause IE6 to consider
> the document UTF-7 encoded and the script will be executed. Of course,
> escaping the comment would not protect from this problem either, only
> a proper encoding declaration will.
I'm willing to say that a document must be properly encoded for this
thing to work. Heck, I'm willing to say a document should always be
properly encoded.
--
Orion Adrian
Received on Monday, 21 August 2006 13:18:04 UTC