Skip to content
Permalink
Browse files

[ac] (0) Disallow ` in unquoted attribute values.

git-svn-id: http://svn.whatwg.org/webapps@4076 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information...
Hixie committed Oct 5, 2009
1 parent b8229a0 commit 35846c1eae1d30cadbf112c71998a49348a3abe9
Showing with 70 additions and 6 deletions.
  1. +35 −3 index
  2. +35 −3 source
38 index
characters</a>, any U+0022 QUOTATION MARK (<code>"</code>)
characters, U+0027 APOSTROPHE (<code>'</code>) characters,
U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
(<code>&gt;</code>) characters, and must not be the empty
string.</p>
SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
(<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
characters, and must not be the empty string.</p>

<!-- The ` character is in this list on a temporary basis, waiting
for IE to fix it's parsing bug whereby it treats ` as an
attribute value delimiter. Otherwise, escaping software that
tries to be clever and not use quotes when it doesn't need to
could be tricked by an attacker.

Posit a site that allows the user to input text that is used
verbatim in two attributes, such that the user can set the
first attribute's value to:

`

...and the second to:

` onload='...payload...' end=x

...with the assumption that the site is going to not quote
the first one, and quote the second one with double quotes:

<body title=` class="` onload='...payload...' end=x">

In IE, this is treated as:

<body title=' class="'
onload='...payload...'
end='x"'>

-->


<div class=example>


<dt>U+003C LESS-THAN SIGN (&lt;)</dt>
<dt>U+003D EQUALS SIGN (=)</dt>
<dt>U+0060 GRAVE ACCENT (`)</dt>
<dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
entry below.</dd>

<dt>U+0027 APOSTROPHE (')</dt>
<dt>U+003C LESS-THAN SIGN (&lt;)</dt>
<dt>U+003D EQUALS SIGN (=)</dt>
<dt>U+0060 GRAVE ACCENT (`)</dt>
<dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
entry below.</dd>

38 source
characters</span>, any U+0022 QUOTATION MARK (<code>&#x22;</code>)
characters, U+0027 APOSTROPHE (<code>&#x27;</code>) characters,
U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
(<code>&gt;</code>) characters, and must not be the empty
string.</p>
SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
(<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
characters, and must not be the empty string.</p>

<!-- The ` character is in this list on a temporary basis, waiting
for IE to fix it's parsing bug whereby it treats ` as an
attribute value delimiter. Otherwise, escaping software that
tries to be clever and not use quotes when it doesn't need to
could be tricked by an attacker.

Posit a site that allows the user to input text that is used
verbatim in two attributes, such that the user can set the
first attribute's value to:

`

...and the second to:

` onload='...payload...' end=x

...with the assumption that the site is going to not quote
the first one, and quote the second one with double quotes:

<body title=` class="` onload='...payload...' end=x">

In IE, this is treated as:

<body title=' class="'
onload='...payload...'
end='x"'>

-->


<div class="example">


<dt>U+003C LESS-THAN SIGN (&lt;)</dt>
<dt>U+003D EQUALS SIGN (=)</dt>
<dt>U+0060 GRAVE ACCENT (`)</dt>
<dd><span>Parse error</span>. Treat it as per the "anything else"
entry below.</dd>

<dt>U+0027 APOSTROPHE (')</dt>
<dt>U+003C LESS-THAN SIGN (&lt;)</dt>
<dt>U+003D EQUALS SIGN (=)</dt>
<dt>U+0060 GRAVE ACCENT (`)</dt>
<dd><span>Parse error</span>. Treat it as per the "anything else"
entry below.</dd>

0 comments on commit 35846c1

Please sign in to comment.
You can’t perform that action at this time.