Closed Bug 530476 Opened 15 years ago Closed 15 years ago

Security vulnerability problem about comment

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 214476

People

(Reporter: zjw0358, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:dupe 214476])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 GTB6 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 GTB6 (.NET CLR 3.5.30729) this will cause a security problem,for example:xss code: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Firfox HTML Comment BUG test | p.z</title> <head> <body> This is body.<!--comment--comment.>This section should be hidden--> </body> </html> show: This is body.This section should be hidden--> Reproducible: Always
Whiteboard: [sg:dupe 214476]
Component: General → HTML: Parser
QA Contact: general → parser
If you take out the doctype then in pure quirks mode we render this as you are expecting us to. If you send it with the correct XHTML content type of application/xhtml+xml then we'll refuse to render the page at all due to the badly formed comment. With this doctype sent as HTML we try to give you the stricter interpretation of HTML that you appear to be asking for. See bug 214476 comment 84 HTML5 defines slightly different behavior that will attempt to bring browsers into some sort of consistency. That's what bug 214476 is about.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.