[whatwg] comment parsing

[Daniel Veditz]

Lachlan Hunt wrote:
> Ian Hickson wrote:
>> A DOS attack on the server could cause the transmitted text to be:
>>
>>    ...
>>    <!--
>>      <script> hostileScript(): </script>
>>
>> ...which, if we re-parse the content upon hitting EOF with an open
>> comment, would cause the script to be executed.
> 
> I don't understand these security concerns.  How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it?  Won't the script be executed in
> exactly the same way in both cases?

We're assuming the web app is not going to allow anyone to write the
plain <script> tags--a clear XSS risk--and that if it did allow comments
it might not sanitize their contents, assuming them to be "safe".