[whatwg] comment parsing
dveditz at cruzio.com
Sun Jan 22 19:21:04 PST 2006
Lachlan Hunt wrote:
> Ian Hickson wrote:
>> A DOS attack on the server could cause the transmitted text to be:
>> <script> hostileScript(): </script>
>> ...which, if we re-parse the content upon hitting EOF with an open
>> comment, would cause the script to be executed.
> I don't understand these security concerns. How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it? Won't the script be executed in
> exactly the same way in both cases?
We're assuming the web app is not going to allow anyone to write the
plain <script> tags--a clear XSS risk--and that if it did allow comments
it might not sanitize their contents, assuming them to be "safe".
More information about the whatwg