- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Wed, 2 Apr 2008 19:23:39 +0300
- To: Bruce Miller <bruce.miller@nist.gov>
- Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
On Apr 2, 2008, at 19:13, Bruce Miller wrote: > > Henri Sivonen wrote: >> On Apr 2, 2008, at 18:58, Bruce Miller wrote: >>> I'm trying, but I don't get it. >>> I guess you're saying that with something like: >>> <script/> >>> do_dangerous_stuff(); >>> </script> >> Gatekeeper applying the rule "/> always closes" would determine >> that do_dangerous_stuff(); is not executable but existing browsers >> would still run it. Of course, this is the wrong way to write a >> gatekeeper. The right way is *never* to pass through original >> source but to always run a parser, followed by sanitizer, followed >> by serializer. However, we can't expect people who write >> gatekeepers to be competent. > > Hmm.... > Can </script> put do_dangerous_stuff(); into a (new) <script> > so that "everybody" agrees it's executable? Not without creating a gatekeeper problem. > What do current browsers do with: > <script/> > do_dangerous_stuff(); > <body>.... > ? The <body> tag becomes part of the script but the script doesn't run, because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1 and Opera 9.5 beta.) http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E ... -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Wednesday, 2 April 2008 16:24:46 UTC