Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible to make IE run script after roundtripping in html5lib #12

Closed
gsnedders opened this issue Apr 9, 2013 · 1 comment

Comments

Projects
None yet
1 participant
@gsnedders
Copy link
Member

commented Apr 9, 2013

http://code.google.com/p/html5lib/issues/detail?id=92

Reported by zcorpan, Feb 27, 2009

What steps will reproduce the problem?
Input: <br title=><xmp>><script>alert(1)</script></xmp>
Serialization options: omit quotes.

What is the expected output?
Attribute values with ` in them should be quoted even with the omit quotes
setting.

What do you see instead?
Quotes are omitted and hence, the script is run in IE.

Feb 27, 2009 t.broyer

IIRC, the spec says a ` is allowed in an unquoted attribute value:
http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#attributes

Should the spec be changed? should we rather add a new option to the serializer?

Mar 10, 2009 sad.neko

I'm sorry, but i couldn't find ` to be allowed in unquoted attribute values in html5
neither in html4. Am i missing something?

Sep 4, 2009 Simetrical

The requirements that comment 2 links to say unquoted attributes "must not contain any literal space characters, any U+0022 QUOTATION MARK (") characters, U+0027 APOSTROPHE (') characters, U+003D EQUALS SIGN (=) characters, U+003C LESS-THAN SIGN (<) characters, or U+003E GREATER-THAN SIGN (>) characters, and must not be the empty string." There are no other constraints that don't apply to quoted attributes as well.

What's the bug here? As far as I can tell from reading the spec, the given text
should parse as

<br title=""><xmp>&gt;<script>alert(1)</script></xmp>

and conformant browsers should run the script.

Sep 6, 2009 zcorpan

No, because xmp is a RAWTEXT element. So it's equivalent to the following XML

<br title=""/><xmp>&gt;&lt;script&gt;alert(1)&lt;/script&gt;</xmp>

but in IE it's equivalent to the following XML

<br title="&gt;&lt;xmp&gt;"/><script>alert(1)</script><xmp/>

(I think a stray </xmp> tag will result in an empty element in IE, but I could
remember incorrectly; anyway that's besides the point.)

Oct 18, 2009 geoffers

` is now non-conforming at the start of an unquoted attribute.

Related to #11.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue Jul 19, 2013

Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.

@ghost ghost assigned gsnedders Aug 13, 2013

@gsnedders

This comment has been minimized.

Copy link
Member Author

commented Sep 19, 2013

This, really, is just the same issue as #11. Let's just close this.

@gsnedders gsnedders closed this Sep 19, 2013

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue Sep 19, 2013

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 7, 2016

Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 7, 2016

gsnedders added a commit that referenced this issue May 9, 2016

Fix #11, #12: quote attributes that need escaping in legacy browsers
These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016

Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.