Possible security flaw in handling of code...




13 years ago
13 years ago


(Reporter: sun_burn_135, Unassigned)


Firefox Tracking Flags

(Not tracked)





13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Story: I started running IIS and wanted to put up a web page, but I'm a 'n00b'
as they say. I made a bunch of errors, mostly in putting ending tags (IE I put
"<title> fdshesjfhesjkdsf" WITHOUT the "</title>" ending tag). Well, I could
still view the page perfectly, but people using IE could not. I eventually fixed
the problem, but it occured to me: if it's running bad code, isn't that a
security flaw? Maybe I'm wrong, but if the code is bad, shouldn't it display an
error, instead of a fine site. 

P.S. Although I fixed the error on my site, I've deleted the '</title>' tag
intentionally, to reproduce the error, just for you guys.

Reproducible: Always

Steps to Reproduce:
1. Access the site via Mozilla. It works! (read the source code!)
2. Access the site via IE. (And read source code)

Actual Results:  
The page displayed in Mozilla fine. But in Internet Explorer, it didn't display
at all. But you could read the source code in IE still.

Note: Others got this error as well when viewing my site.

Expected Results:  
I'm not an expert but I ASSUME that if the site has bad code, the browser should
give an error message instead of automagically displaying the site.
Not a security bug (there is no exploit described).

INVALID. Error handling is not a bug. It's a feature. If we were to report every
error instead of trying to "muddle on through", we'd end up not displaying 99%
of the Web, which would be a bit of a problem.
Group: security
Last Resolved: 13 years ago
Resolution: --- → INVALID
It's far more common people test their site in IE and have it not render
correctly in Mozilla -- each browser handles non-standard HTML with different
quirks for historical reasons.

Try some of the validators out there, although even validated code can render
differently in different browsers.
You need to log in before you can comment on or make changes to this bug.