[whatwg] several messages about XML syntax and HTML5

Simon Pieters zcorpan at hotmail.com
Fri Dec 8 14:09:18 PST 2006


From: Sander Tekelenburg <tekelenb at euronet.nl>
>Right. That's a window of opportunity (for the sort of attack I mentioned)
>I'm voicing concern about. I agree that it will likely be much harder when
>all browsers are HTML5-compliant and most authors produce HTML5. But before

Well... for the past 7-8 years it has been possible to use IE's conditional 
comments to completely hide everything from non-IE browsers:

   <!--[if IE]>
    ...page content...

Similarly, bugs in browsers' CSS implementation has made it possible to only 
show the content for a single browser, e.g.:

   body { display:none; }
   * html body { display:block; }

I'm sure you can find bugs or features in every language supported by 
browser vendors that allows for these kinds of attacks, and has been 
possible for years. If it hasn't happened as of now, why do you think it 
will happen in the next few years? Does it matter if it is HTML parsing that 
is exploited or some other technology?

Simon Pieters

Jämför priser på plasmateve http://pricerunner.msn.se/

More information about the whatwg mailing list