[whatwg] Script-related feedback
ian at hixie.ch
Mon Jan 7 19:51:25 PST 2013
On Mon, 7 Jan 2013, Adam Barth wrote:
> > the user agent to act as if the end of the Program production had been
> > reached, and that it should treat the remainder of the file as another
> > Program?
> > This could even be done in a backwards-compatible fashion by having
> > the syntax to do this be something that down-level clients ignore,
> > e.g.:
> > /*@BREAK*/
> > ...or some such.
> That approach is an in-band signal, which means it's vulnerable to
> injection attacks.
If you can inject this, you can inject arbitrary code, so I don't see how
this would be a problem.
> following form:
> var userData = "<?php echo santize($userData) ?>";
> Currently, the rules for sanitizing using input are relatively
> straightforward (essentially, you just need to worry about a few special
Those simple rules would prevent anyone from inserting a pragma-like
comment, too, so that's fine.
> However, if we implemented an in-band signaling we might well break
> these sanitation algorithms.
How? I'm not suggesting changing any JS syntax, just making existing JS
syntax be used as a signal.
If making a comment do this is too dodgy, make it something like this:
...and for down-level support, define an explicit breakParsing function
that does nothing. If someone can insert a function call into JS, you've
definitely lost already.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg