[whatwg] base64 entities
kornel at geekhood.net
Thu Aug 26 14:53:26 PDT 2010
On Wed, 25 Aug 2010 22:52:42 +0100, Kornel Lesiński <kornel at geekhood.net>
>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
> These cases can be secured without any new features in browsers (by
> escaping whitespace using numeric entities):
I realized I was wrong about this one. It won't prevent script injection
in JS strings (in places where entities are decoded, including <script> in
For this reason, base64 entities won't solve this problem either, unless
construct (and I think such mix of parser would be bad).
If parser decoded such entities in <script> (like XHTML does):
foo = '&%JztldmlsKCk7Jw==;'
then decoded string passed to JS parser would look like:
innerHTML = '';evil();''
which defeats purpose of the encoding.
OTOH if HTML parser didn't decode these entities in <script> (which is
current text/html behavior), then JS would get undecoded string (i.e.
foo.charAt(0) == '&').
More information about the whatwg