[whatwg] comment parsing

Lachlan Hunt lachlan.hunt at lachy.id.au
Sun Jan 22 18:50:28 PST 2006


Ian Hickson wrote:
> Imagine that the page contains the following:
> 
>    ...
>    <!--
>      <script> hostileScript(): </script>
>    -->
>    ...
> 
> ...where "hostileScript()" is some script that does something bad.
> 
> A DOS attack on the server could cause the transmitted text to be:
> 
>    ...
>    <!--
>      <script> hostileScript(): </script>
> 
> ...which, if we re-parse the content upon hitting EOF with an open 
> comment, would cause the script to be executed.

I don't understand these security concerns.  How is reparsing it after 
reaching EOF any different from someone writing exactly the same script 
without opening a comment before it?  Won't the script be executed in 
exactly the same way in both cases?

However, don't take this as support for choosing to reparse it, I don't 
like the concept of doing that at all for other reasons, I just don't 
understand this security concern.

-- 
Lachlan Hunt
http://lachy.id.au/




More information about the whatwg mailing list