- From: Neil Soiffer <Neils@dessci.com>
- Date: Thu, 3 Apr 2008 08:03:56 -0700
- To: "Henri Sivonen" <hsivonen@iki.fi>
- Cc: "Bruce Miller" <bruce.miller@nist.gov>, "Simon Pieters" <simonp@opera.com>, "Ian Hickson" <ian@hixie.ch>, "Sam Ruby" <rubys@us.ibm.com>, public-html@w3.org, www-math@w3.org
- Message-ID: <d98bce170804030803m53730613p289d54fbf3fddb77@mail.gmail.com>
The web page reference is really useful, thanks. You didn't mention IE, so I tried IE7 and got pretty much what you found where it sucked the "dangerous" into the script. However, I found that both Opera 9.5beta and Firefox 2 both treated <script/> as an empty tag, which differs from what you found. I'm puzzled why I found a different behavior in Opera, and why Firefox 2 would differ from FireFox 3. I don't think this changes the discussion, but I thought at least getting the facts straight (and on the record) might be useful in a different context. Here's what the web page you referenced came up with: *IE7* <!DOCTYPE HTML><html> <HEAD> <SCRIPT> w("Dangerous"); <body></SCRIPT> </HEAD> <BODY></BODY> <META content=FUGCLQURCL name=SKYPE_FRAMEID> </html> *Opera 9.5beta* <!DOCTYPE HTML><html><HEAD> <SCRIPT></SCRIPT> <BODY></html> *Firefox 2.0.0.13* <!DOCTYPE HTML> <html><head> <script></script> </head><body>w("Dangerous"); </body></html> On Wed, Apr 2, 2008 at 9:23 AM, Henri Sivonen <hsivonen@iki.fi> wrote: > On Apr 2, 2008, at 19:13, Bruce Miller wrote: > > > > > Henri Sivonen wrote: > > > > > On Apr 2, 2008, at 18:58, Bruce Miller wrote: > > > > > > > I'm trying, but I don't get it. > > > > I guess you're saying that with something like: > > > > <script/> > > > > do_dangerous_stuff(); > > > > </script> > > > > > > > Gatekeeper applying the rule "/> always closes" would determine that > > > do_dangerous_stuff(); is not executable but existing browsers would still > > > run it. Of course, this is the wrong way to write a gatekeeper. The right > > > way is *never* to pass through original source but to always run a parser, > > > followed by sanitizer, followed by serializer. However, we can't expect > > > people who write gatekeepers to be competent. > > > > > > > Hmm.... > > Can </script> put do_dangerous_stuff(); into a (new) <script> > > so that "everybody" agrees it's executable? > > > > Not without creating a gatekeeper problem. > > What do current browsers do with: > > <script/> > > do_dangerous_stuff(); > > <body>.... > > ? > > > > > The <body> tag becomes part of the script but the script doesn't run, > because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1 and > Opera 9.5 beta.) > > > http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E<http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C%21DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w%28%22Dangerous%22%29%3B%0A%3Cbody%3E> > ... > > > -- > Henri Sivonen > hsivonen@iki.fi > http://hsivonen.iki.fi/ > > >
Received on Thursday, 3 April 2008 15:04:38 UTC