Hi Padraic,
On Wed, Feb 5, 2014 at 6:22 AM, Pádraic Brady <[email protected]>wrote:
> Doing a bit of due diligence, the reason the forward slash was added
> was to prevent any possibility of someone introducing a Javascript
> comment into an attribute. It's very sketchy, but the theory is that
> since html escaping won't escape /, using html escaping on a
> javascript attribute like onmouseover might allow the browser to
> interpret a comment, disregard the terminating quotes of an attribute,
> and then inject HTML. Personally, it seems a bit garbled - user input
> in a Javascript attribute should be escaped as a Javascript string
> literal with no input injected as actual Javascript code - so it would
> require both a severe browser parsing issue AND a lack of proper
> contextual escaping.
>
It depends on how HTML parser parse HTML.
<tag onmouseover="user_code_here; /*"><tag foo="*/;
evil_code_here;">
<tag onmouseover=user_code_here;/* ><tag foo=*/; evil_code_here; >
If parser aware the "/*" as JS comment, then it can be attacked.
'/' escape would prevent malicious code to attack when user has sloppy
validation and/or filter.
(HTML parser should parse HTML document as HTML at first and should not
recognize JS elements and/or anything else, but who knows every parser out
there is implemented correctly)
I've added deprecation of ENT_COMPAT/ENT_QUOTES to the RFC.
Is it ready to vote?
No more issues to discuss?
Anyone?
Regards,
--
Yasuo Ohgaki
[email protected]