Re: Opera reparses as HTML when XML parse fails

On Wed, Dec 14, 2011 at 5:55 AM, Noah Mendelsohn <> wrote:
> Now, application/xhtml+xml content would not give any trouble if the XHTML
> code on these sites was well-formed, but unfortunately, mistakes are easily
> made..."

I think the solution Opera has chosen is a bad one. For text/html, we
went through a lot of trouble to change things so that an attacker who
is able to force a premature end of the input stream can't trigger
reparsing that would lead to parts of the page that weren't meant to
be scripts to be interpreted as scripts.

AFAICT, Opera's solution introduces such dangerous reparsing to
applicaiton/xhtml+xml. Also, reparsing is bad for performance and can
cause the side effects of scripts to happen twice.

I think non-Draconian non-backtracking parsing rules for XML (such as
XML5) would have been a better solution.

Henri Sivonen

Received on Friday, 16 December 2011 17:07:11 UTC