[whatwg] base64 entities

Adam Barth w3c at adambarth.com
Thu Aug 26 15:28:57 PDT 2010


2010/8/26 Kornel Lesiński <kornel at geekhood.net>:
> On Wed, 25 Aug 2010 22:52:42 +0100, Kornel Lesiński <kornel at geekhood.net>
> wrote:
>>> <script>
>>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>>> </script>
>>
>> These cases can be secured without any new features in browsers (by
>> escaping whitespace using numeric entities):
>
> I realized I was wrong about this one. It won't prevent script injection in
> JS strings (in places where entities are decoded, including <script> in
> XML), because entity will be changed to plain text before JavaScript is
> tokenized.

Indeed.  This is not a feature for XML.  XML won't decode the entity
at all.  In HTML, <script> doesn't decode entities, so the pattern is
safe.

Adam



More information about the whatwg mailing list