215622 - HTML numeric entities overflow

Status: RESOLVED WONTFIX

(Core :: DOM: HTML Parser, defect)

Description

[Ulf Harnhammar]

User-Agent:       Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 4.0; tekaz)
Build Identifier: 

HTML's numeric entities overflow at 2 ** 32, 2 ** 64 and so on. This means that 
there is an infinite number of entities that Mozilla will interpret as a colon 
for instance (58, 58 + 2 ** 32, 58 + 2 ** 64..).

Reproducible: Always

Steps to Reproduce:
1. Create an HTML document with bignum numeric entities.
2. View it in Mozilla.
3.

Actual Results:  
It showed the characters with the value given in the lowest 32 bits of the 
numeric value.

Expected Results:  
Ignore it, show it as text, show it as a questionmark..

Comment 1

[Olivier Cahagne]

can you attach the minimum testcase that shows the error via "create a new
attachment" link above ?

Comment 2

[Boris Zbarsky [:bzbarsky]]

Um.. why should they not overflow? The code in question is invalid HTML; the
error-handling is undefined.  So we should do something that makes sense is all...

What do other browsers do?

Comment 3

[Ulf Harnhammar]

I have posted a short test document here:

http://lists.insecure.org/lists/webappsec/2003/Jul-Sep/0047.html

This bignum entity thing works in Mozilla, Galeon, Opera and w3m - but not in 
Internet Explorer, Lynx, Elinks and Konqueror.

One of the reasons why I dislike this bignum entity behaviour is that it makes 
it harder to process HTML code correctly, if you want to write an HTML filter 
and remove bad constructs in web applications for instance.

// Ulf Harnhammar
   metaur@operamail.com

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Marking as WONTFIX. I don't see a point in changing our behavior on this invalid
HTML. If you need to look for these constructions, you should reject the lowest
common denominator anyway (and more than one browser does this).