[html5] r5839 - [e] (0) Raise the profile of a note to the level of a warning, since what it is [...]

whatwg at whatwg.org whatwg at whatwg.org
Mon Feb 7 14:34:37 PST 2011 

Author: ianh
Date: 2011-02-07 14:34:36 -0800 (Mon, 07 Feb 2011)
New Revision: 5839

Modified:
   complete.html
   index
   source
Log:
[e] (0) Raise the profile of a note to the level of a warning, since what it is talking about could result in XSS.
Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=11668

Modified: complete.html
===================================================================
--- complete.html	2011-02-07 22:16:28 UTC (rev 5838)
+++ complete.html	2011-02-07 22:34:36 UTC (rev 5839)
@@ -84802,23 +84802,41 @@
   </ol><p class=note>Entity reference nodes are <a href=#entity-references>assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class=note>It is possible that the output of this algorithm, if
+  <p class=warning>It is possible that the output of this algorithm, if
   parsed with an <a href=#html-parser>HTML parser</a>, will not return the
-  original tree structure. For instance, if a <code><a href=#the-textarea-element>textarea</a></code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--></code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code><a href=#script>script</a></code> element contain a text node with the text string
-  "<code></script></code>", or having a <code><a href=#the-p-element>p</a></code> element that
-  contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code> element's
-  <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would imply the end
-  tag for the <code><a href=#the-p-element>p</a></code>).</p>
+  original tree structure.</p>
 
+  <div class=example>
+
+   <p>For instance, if a <code><a href=#the-textarea-element>textarea</a></code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--></code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code><a href=#script>script</a></code> element
+   contain a text node with the text string
+   "<code></script></code>", or having a <code><a href=#the-p-element>p</a></code> element
+   that contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code>
+   element's <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would
+   imply the end tag for the <code><a href=#the-p-element>p</a></code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
+   which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
+   IDL attribute to get the HTML serialization of that
+   <code><a href=#the-style-element>style</a></code> element: if the user enters
+   "<code></style><script>attack</script></code>" as a font
+   name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
+   markup that, if parsed in a different context, would contain a
+   <code><a href=#script>script</a></code> node, even though no <code><a href=#script>script</a></code> node
+   existed in the original DOM.</p>
+
+  </div>
+
   <p><dfn id=escapingString>Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following
   steps:</p>

Modified: index
===================================================================
--- index	2011-02-07 22:16:28 UTC (rev 5838)
+++ index	2011-02-07 22:34:36 UTC (rev 5839)
@@ -80773,23 +80773,41 @@
   </ol><p class=note>Entity reference nodes are <a href=#entity-references>assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class=note>It is possible that the output of this algorithm, if
+  <p class=warning>It is possible that the output of this algorithm, if
   parsed with an <a href=#html-parser>HTML parser</a>, will not return the
-  original tree structure. For instance, if a <code><a href=#the-textarea-element>textarea</a></code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--></code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code><a href=#script>script</a></code> element contain a text node with the text string
-  "<code></script></code>", or having a <code><a href=#the-p-element>p</a></code> element that
-  contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code> element's
-  <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would imply the end
-  tag for the <code><a href=#the-p-element>p</a></code>).</p>
+  original tree structure.</p>
 
+  <div class=example>
+
+   <p>For instance, if a <code><a href=#the-textarea-element>textarea</a></code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--></code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code><a href=#script>script</a></code> element
+   contain a text node with the text string
+   "<code></script></code>", or having a <code><a href=#the-p-element>p</a></code> element
+   that contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code>
+   element's <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would
+   imply the end tag for the <code><a href=#the-p-element>p</a></code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
+   which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
+   IDL attribute to get the HTML serialization of that
+   <code><a href=#the-style-element>style</a></code> element: if the user enters
+   "<code></style><script>attack</script></code>" as a font
+   name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
+   markup that, if parsed in a different context, would contain a
+   <code><a href=#script>script</a></code> node, even though no <code><a href=#script>script</a></code> node
+   existed in the original DOM.</p>
+
+  </div>
+
   <p><dfn id=escapingString>Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following
   steps:</p>

Modified: source
===================================================================
--- source	2011-02-07 22:16:28 UTC (rev 5838)
+++ source	2011-02-07 22:34:36 UTC (rev 5839)
@@ -95992,23 +95992,41 @@
   href="#entity-references">assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class="note">It is possible that the output of this algorithm, if
+  <p class="warning">It is possible that the output of this algorithm, if
   parsed with an <span>HTML parser</span>, will not return the
-  original tree structure. For instance, if a <code>textarea</code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--></code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code>script</code> element contain a text node with the text string
-  "<code></script></code>", or having a <code>p</code> element that
-  contains a <code>ul</code> element (as the <code>ul</code> element's
-  <span title="syntax-start-tag">start tag</span> would imply the end
-  tag for the <code>p</code>).</p>
+  original tree structure.</p>
 
+  <div class="example">
+
+   <p>For instance, if a <code>textarea</code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--></code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code>script</code> element
+   contain a text node with the text string
+   "<code></script></code>", or having a <code>p</code> element
+   that contains a <code>ul</code> element (as the <code>ul</code>
+   element's <span title="syntax-start-tag">start tag</span> would
+   imply the end tag for the <code>p</code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code>style</code> block via the DOM and
+   which then uses the <code title="dom-innerHTML">innerHTML</code>
+   IDL attribute to get the HTML serialization of that
+   <code>style</code> element: if the user enters
+   "<code></style><script>attack</script></code>" as a font
+   name, <code title="dom-innerHTML">innerHTML</code> will return
+   markup that, if parsed in a different context, would contain a
+   <code>script</code> node, even though no <code>script</code> node
+   existed in the original DOM.</p>
+
+  </div>
+
   <p><dfn id="escapingString">Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following
   steps:</p>

More information about the Commit-Watchers mailing list