Re: SVG 1.2 Comment: image/svg+xml;charset='' from Ronan Oger on 2004-11-25 (www-svg@w3.org from November 2004)

From: Ronan Oger <ronan@roasp.com>
Date: Thu, 25 Nov 2004 08:53:44 +0000
To: Bjoern Hoehrmann <derhoermi@gmx.net>, www-svg@w3.org
Message-Id: <200411250853.44435@sent-by-ronan-oger>

On Wednesday 24 November 2004 16.54, you wrote:
>* ronan@roasp.com wrote:
>>Tricks with poorly formed content do not apply to XML, which is much
>>stricter than sgml. This is really not a problem any more as the parsers
>>simply reject malformed content.
>
>Nothing stops SGML or HTML processors from treating ill-formed content
>the same way as XML processors treat ill-formed content.
>

ill-formed xml generally causes even the most rudimentary parsers to fall 
over. Granted, some parsers are less competent than others. But this is 
simply a pedigree problem. I am not aware of any SVG parsers that allow 
badly-formed XML through. We all use Apache and Mozilla for pedigree reasons 
and certainly the users' choice of SVG implementations will be influenced by 
the pedigree of the browser...

>>XSS does not pose a risk with respect to encoding tricks. Zero. None. If
>>the encoding of a snippet is different, the parser will not recognize the
>>wrongly encoded content and just return the litteral codes, causing the
>>XSS trick to fail.
>
>Consider
>
>  Content-Type: image/svg+xml;charset=utf-8
>
>  <?xml version="1.0" encoding="utf-7"?>
>  ...
>  <a>+ADw-script+AD4...script code...+ADw-/script+AD4</a>
>  ...
>
>If the charset parameter is ignored you suddenly have
>
>  ...
>  <a><script>...script code...</script></a>
>  ...

That is an interesting problem. I do see how this  could cause a problem if 
the browser was broken and did not follow RFC 3023 which says that the 
document encoding takes precedence.

However, something that you need to keep in mind is than XML is much stricter 
than SGML. While in SGML the above <script>code</script> is all you need for 
executability, in XML you need CDATA tags which clearly define the script 
chunk. Ann added security is the DTD and Schema definitions which prevent 
script content from appearing at arbitrary locations without clear 
delimiters. With a reasonable parser, it is impossible to send your above 
content invisibly. Either it will be detected as script or it will be 
detected as invalid XML and rejected.

>
>Regardless of whether the charset parameter is honored there is no error
>in the document.
>

Yes, there is an error, as discussed above. Either the script element is 
caught or the XML is broken and rejected.

>
>

-- 
Ronan Oger
http://www.roasp.com

Received on Thursday, 25 November 2004 08:50:35 UTC