[whatwg] Script-related feedback
Glenn Maynard
glenn at zewt.org
Mon Jan 7 20:09:43 PST 2013
On Mon, Jan 7, 2013 at 7:20 PM, Adam Barth <w3c at adambarth.com> wrote:
> > This could even be done in a backwards-compatible fashion by having the
> > syntax to do this be something that down-level clients ignore, e.g.:
> >
>
> > /*@BREAK*/
> >
> > ...or some such.
>
> That approach is an in-band signal, which means it's vulnerable to
> injection attacks. For example, consider a server that produces a
> JavaScript file of the following form:
>
> [...]
> var userData = "<?php echo santize($userData) ?>";
> [...]
>
> Currently, the rules for sanitizing using input are relatively
> straightforward (essentially, you just need to worry about a few
> special characters). However, if we implemented an in-band signaling
> we might well break these sanitation algorithms.
>
> To make this secure, we'd probably want some sort of randomized
> delimiter (perhaps declared via a pragma at the top of the file), but
> then we would have just re-invented multipart/mixed.
>
The suggestion was the comment /*@BREAK*/, which the string literal
"/*@BREAK*/" wouldn't match, being a string token, not a comment, right?
--
Glenn Maynard
More information about the whatwg
mailing list