Closed Bug 269116 Opened 20 years ago Closed 20 years ago

There shouldn't be </plaintext> tag, <plaintext> should be effective up to EOF

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
FreeBSD
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: alex, Unassigned)

References

Details

(Whiteboard: [sg:nse]) 

User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040820 Firefox/0.9.3
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040820 Firefox/0.9.3

As per old HTML 3.2 & 2.0 standards <plaintext> tag does not have the
corresponding closing tag.

HTML 4.0 and up do not contain <plaintext> at all.

Reproducible: Always
Steps to Reproduce:
<plaintext></plaintext><script>nasties;</script>
Actual Results:  
script executes

Expected Results:  
interpret everything after <plaintext> as CDATA

This can easily be exploited in a certain combination of server-client software.
If the server is a webmail/forum/wiki which sanitizes user input HTML via
complient parser (e.g. the very popular Perl HTML::Parser) then it will pass
anything after <plaintext> unchanged but client mozilla will resume parsing
after </plaintext>.
So, we recently dropped our (buggy) support for <plaintext> entirely. Maybe we
need to add it back? This seems like a valid concern.
Removing confidential flag, not an exploit in Mozilla itself and will get more
love as a public bug.
Group: security
Whiteboard: [sg:nse]
<plaintext> has been deprecated for almost 8 years now.  It has been obsolete
(not part of HTML) for 6.5 years.

Note that reporter is reporting the bug against a build _with_ what passed for
plaintext support in Mozilla before I removed it altogether.  Bugginess like
that was why it was removed.

We're not planning to support <plaintext> in any form going forward; it'll be
treated like <span>.  Given the per the current HTML specification there is no
reason to support <plaintext>, HTML::Parser would be well advised to treat it as
unimplemented in some UAs.  We should probably contact them about this...
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
My patch for HTML::Parser to (optionally) imitate mozilla's html parser is
already committed and included in recent HTML::Parser on CPAN.

We probably cannot change the default behaviour.

This and what Boris has said means that the software combination I described
will always be vulnerable from now on unless the authors of specific parsers
will take measures (make it a special case) against <plaintext>.

All the rest browsers seem to work as described in HTML 2.0 standard which is
obsolete for longer period than some of us write code. But as far as I
understand it cost them nothing that's why they still support it.

So I think that there IS indeed reason to support <plaintext>. I'd like to
reopen the bug.

P.S. Making <plaintext> a <span> alias from <xmp> alias (as it was before) does
not change a single thing for the issue under discussion, as you all understand.
> So I think that there IS indeed reason to support <plaintext>.

If someone writes a patch to that effect, we may take it.  But it would take a
fair amount of time and effort to do, and just isn't worth it from our point of
view because the tag is pretty much unused.
fixed by bug 287990
Depends on: 287990
Resolution: WONTFIX → FIXED
Blocks: xss
You need to log in before you can comment on or make changes to this bug.