[whatwg] Parsing: < in unquoted attribute values
Jonas Sicking
jonas at sicking.cc
Fri Apr 27 03:51:37 PDT 2007
Anne van Kesteren wrote:
> On Thu, 26 Apr 2007 02:17:12 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
>> We do no longer support this in mozilla (if we ever did). A reason we
>> now explicitly forbid this is we don't want it to ever be possible to
>> create elements with 'illegal' names. Same thing goes for attribute
>> names. This is partially for security reasons since some elements and
>> attributes carry very important security information.
>
> Could you elaborate on the security issues? Could you also give a
> definition of "illegal names" as it's not really clear to me what that
> means for HTML.
Basically, for <input< type=file value="/etc/passwd">, if part of the
code thinks that that is an "input<" element, where as other parts
thinks that is and "input" element, you might end up in a situation
where the browser sends the /etc/passwd file to the server without user
interaction.
It also seems like a bad idea to allow a document to be parsed such as
there is no way to serialize it without creating an invalid html5
serialization.
As far as element names go, i don't really see a reason to allow more,
or less, characters than the XML spec lets you use.
/ Jonas
More information about the whatwg
mailing list