[whatwg] Parsing: < in unquoted attribute values

Jonas Sicking jonas at sicking.cc
Fri Apr 27 03:51:37 PDT 2007


Anne van Kesteren wrote:
> On Thu, 26 Apr 2007 02:17:12 +0200, Jonas Sicking <jonas at sicking.cc> wrote:
>> We do no longer support this in mozilla (if we ever did). A reason we 
>> now explicitly forbid this is we don't want it to ever be possible to 
>> create elements with 'illegal' names. Same thing goes for attribute 
>> names. This is partially for security reasons since some elements and 
>> attributes carry very important security information.
> 
> Could you elaborate on the security issues? Could you also give a 
> definition of "illegal names" as it's not really clear to me what that 
> means for HTML.

Basically, for <input< type=file value="/etc/passwd">, if part of the 
code thinks that that is an "input<" element, where as other parts 
thinks that is and "input" element, you might end up in a situation 
where the browser sends the /etc/passwd file to the server without user 
interaction.

It also seems like a bad idea to allow a document to be parsed such as 
there is no way to serialize it without creating an invalid html5 
serialization.

As far as element names go, i don't really see a reason to allow more, 
or less, characters than the XML spec lets you use.

/ Jonas



More information about the whatwg mailing list