- From: Ronan Oger <ronan@roasp.com>
- Date: Thu, 25 Nov 2004 08:53:44 +0000
- To: Bjoern Hoehrmann <derhoermi@gmx.net>, www-svg@w3.org
On Wednesday 24 November 2004 16.54, you wrote: >* ronan@roasp.com wrote: >>Tricks with poorly formed content do not apply to XML, which is much >>stricter than sgml. This is really not a problem any more as the parsers >>simply reject malformed content. > >Nothing stops SGML or HTML processors from treating ill-formed content >the same way as XML processors treat ill-formed content. > ill-formed xml generally causes even the most rudimentary parsers to fall over. Granted, some parsers are less competent than others. But this is simply a pedigree problem. I am not aware of any SVG parsers that allow badly-formed XML through. We all use Apache and Mozilla for pedigree reasons and certainly the users' choice of SVG implementations will be influenced by the pedigree of the browser... >>XSS does not pose a risk with respect to encoding tricks. Zero. None. If >>the encoding of a snippet is different, the parser will not recognize the >>wrongly encoded content and just return the litteral codes, causing the >>XSS trick to fail. > >Consider > > Content-Type: image/svg+xml;charset=utf-8 > > <?xml version="1.0" encoding="utf-7"?> > ... > <a>+ADw-script+AD4...script code...+ADw-/script+AD4</a> > ... > >If the charset parameter is ignored you suddenly have > > ... > <a><script>...script code...</script></a> > ... That is an interesting problem. I do see how this could cause a problem if the browser was broken and did not follow RFC 3023 which says that the document encoding takes precedence. However, something that you need to keep in mind is than XML is much stricter than SGML. While in SGML the above <script>code</script> is all you need for executability, in XML you need CDATA tags which clearly define the script chunk. Ann added security is the DTD and Schema definitions which prevent script content from appearing at arbitrary locations without clear delimiters. With a reasonable parser, it is impossible to send your above content invisibly. Either it will be detected as script or it will be detected as invalid XML and rejected. > >Regardless of whether the charset parameter is honored there is no error >in the document. > Yes, there is an error, as discussed above. Either the script element is caught or the XML is broken and rejected. > > -- Ronan Oger http://www.roasp.com
Received on Thursday, 25 November 2004 08:50:35 UTC