[whatwg] base64 entities
Kornel Lesiński
kornel at geekhood.net
Thu Aug 26 14:53:26 PDT 2010
On Wed, 25 Aug 2010 22:52:42 +0100, Kornel Lesiński <kornel at geekhood.net>
wrote:
>> <script>
>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>> </script>
>
> These cases can be secured without any new features in browsers (by
> escaping whitespace using numeric entities):
I realized I was wrong about this one. It won't prevent script injection
in JS strings (in places where entities are decoded, including <script> in
XML), because entity will be changed to plain text before JavaScript is
tokenized.
For this reason, base64 entities won't solve this problem either, unless
they're specifically defined as JavaScript construct, not only HTML
construct (and I think such mix of parser would be bad).
If parser decoded such entities in <script> (like XHTML does):
foo = '&%JztldmlsKCk7Jw==;'
then decoded string passed to JS parser would look like:
innerHTML = '';evil();''
which defeats purpose of the encoding.
OTOH if HTML parser didn't decode these entities in <script> (which is
current text/html behavior), then JS would get undecoded string (i.e.
foo.charAt(0) == '&').
--
regards, Kornel
More information about the whatwg
mailing list