[whatwg] base64 entities
kornel at geekhood.net
Thu Aug 26 15:40:06 PDT 2010
On 26.08.2010, at 23:28, Adam Barth wrote:
>>>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>>> These cases can be secured without any new features in browsers (by
>>> escaping whitespace using numeric entities):
>> I realized I was wrong about this one. It won't prevent script injection in
>> JS strings (in places where entities are decoded, including <script> in
> Indeed. This is not a feature for XML. XML won't decode the entity
> at all. In HTML, <script> doesn't decode entities, so the pattern is
Yes, but in that case JS would have to decode the entity on its own. It wouldn't be strictly HTML feature, but also change interpretation of JS string literals. And what if you use this entity outside JS string? In regex literal?
What about onclick="show('&%base64;')"? Should this be left insecure, or should HTML parser have special entity handling for on* attributes? And then what's the meaning of onclick="show('&%base64;')"?
More information about the whatwg