Skip to content

Possible to make IE run script after roundtripping in html5lib #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
gsnedders opened this issue Apr 9, 2013 · 1 comment
Closed

Possible to make IE run script after roundtripping in html5lib #12

gsnedders opened this issue Apr 9, 2013 · 1 comment
Assignees
@gsnedders
Labels
bug has-active-pull-request serializer
Milestone
1.0

Comments

@gsnedders
Copy link
Member

http://code.google.com/p/html5lib/issues/detail?id=92

Reported by zcorpan, Feb 27, 2009

What steps will reproduce the problem?
Input: <br title=><xmp>><script>alert(1)</script></xmp>
Serialization options: omit quotes.

What is the expected output?
Attribute values with ` in them should be quoted even with the omit quotes
setting.

What do you see instead?
Quotes are omitted and hence, the script is run in IE.

Feb 27, 2009 t.broyer

IIRC, the spec says a ` is allowed in an unquoted attribute value:
http://www.whatwg.org/specs/web-apps/current-work/multipage/syntax.html#attributes

Should the spec be changed? should we rather add a new option to the serializer?

Mar 10, 2009 sad.neko

I'm sorry, but i couldn't find ` to be allowed in unquoted attribute values in html5
neither in html4. Am i missing something?

Sep 4, 2009 Simetrical

The requirements that comment 2 links to say unquoted attributes "must not contain any literal space characters, any U+0022 QUOTATION MARK (") characters, U+0027 APOSTROPHE (') characters, U+003D EQUALS SIGN (=) characters, U+003C LESS-THAN SIGN (<) characters, or U+003E GREATER-THAN SIGN (>) characters, and must not be the empty string." There are no other constraints that don't apply to quoted attributes as well.

What's the bug here? As far as I can tell from reading the spec, the given text
should parse as

<br title=""><xmp>&gt;<script>alert(1)</script></xmp>

and conformant browsers should run the script.

Sep 6, 2009 zcorpan

No, because xmp is a RAWTEXT element. So it's equivalent to the following XML

<br title=""/><xmp>&gt;&lt;script&gt;alert(1)&lt;/script&gt;</xmp>

but in IE it's equivalent to the following XML

<br title="&gt;&lt;xmp&gt;"/><script>alert(1)</script><xmp/>

(I think a stray </xmp> tag will result in an empty element in IE, but I could
remember incorrectly; anyway that's besides the point.)

Oct 18, 2009 geoffers

` is now non-conforming at the start of an unquoted attribute.

Related to #11.
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue Jul 19, 2013
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
a337d3b 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
@ghost ghost assigned gsnedders Aug 13, 2013
@gsnedders
Copy link
Member Author

This, really, is just the same issue as #11. Let's just close this.

gsnedders added a commit to gsnedders/html5lib-python that referenced this issue Sep 19, 2013
@gsnedders
fixup! Fix html5lib#11, html5lib#12: quote attributes that need escap…
9dac020 
…ing in legacy browsers
@gsnedders gsnedders mentioned this issue Sep 19, 2013
Merged
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 7, 2016
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
fe1baa8 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 7, 2016
@gsnedders
fixup! Fix html5lib#11, html5lib#12: quote attributes that need escap…
be6230b 
…ing in legacy browsers
gsnedders added a commit that referenced this issue May 9, 2016
@gsnedders
Fix #11, #12: quote attributes that need escaping in legacy browsers
e04266c 
These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
gsnedders added a commit that referenced this issue May 9, 2016
@gsnedders
fixup! Fix #11, #12: quote attributes that need escaping in legacy br…
f3ea8ac 
…owsers
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
fd5a486 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
fixup! Fix html5lib#11, html5lib#12: quote attributes that need escap…
da12b01 
…ing in legacy browsers
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
fixup! Fix html5lib#11, html5lib#12: quote attributes that need escap…
a30eb28 
…ing in legacy browsers
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
15ff801 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
fixup! Fix html5lib#11, html5lib#12: quote attributes that need escap…
8765511 
…ing in legacy browsers
gsnedders added a commit to gsnedders/html5lib-python that referenced this issue May 11, 2016
@gsnedders
Fix html5lib#11, html5lib#12: quote attributes that need escaping in …
9b8d8eb 
…legacy browsers

These are mostly out of the market now, so this isn't massively
needed any more; nevertheless, avoiding XSS as much as possible is
inevitably desirable.

This alters the API so that quote_attr_values is now a ternary
setting, choosing between legacy-safe behaviour, spec behaviour, and
always quoting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gsnedders gsnedders

Labels
bug has-active-pull-request serializer
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
1 participant
@gsnedders