[whatwg] base64 entities

Kornel Lesiński kornel at geekhood.net
Thu Aug 26 15:40:06 PDT 2010


On 26.08.2010, at 23:28, Adam Barth wrote:
>> 
>>>> <script>
>>>> elmt.innerHTML = 'Hi there <?php echo htmlspecialchars($name) ?>.';
>>>> </script>
>>> 
>>> These cases can be secured without any new features in browsers (by
>>> escaping whitespace using numeric entities):
>> 
>> I realized I was wrong about this one. It won't prevent script injection in
>> JS strings (in places where entities are decoded, including <script> in
>> XML), because entity will be changed to plain text before JavaScript is
>> tokenized.
> 
> Indeed.  This is not a feature for XML.  XML won't decode the entity
> at all.  In HTML, <script> doesn't decode entities, so the pattern is
> safe.

Yes, but in that case JS would have to decode the entity on its own. It wouldn't be strictly HTML feature, but also change interpretation of JS string literals. And what if you use this entity outside JS string? In regex literal?

What about onclick="show('&%base64;')"? Should this be left insecure, or should HTML parser have special entity handling for on* attributes? And then what's the meaning of onclick="show('&%base64;')"?

-- 
regards, Kornel






More information about the whatwg mailing list