What does the HTML 5 spec say about how this should be parsed?
I suggest resolving this as INVALID. The w3schools example is about XML. This bug report is about HTML. XML parsing rules don't apply to HTML. Per HTML5, there's nothing special about the syntax "<![CDATA[" inside an HTML script. (Per HTML5, that syntax is special in an SVG script, but that's another story.) Therefore, the example given parses per HTML5 into a script element whose content is " /*<![CDATA[*/ // update should take a dyn parameter which allows characters '<' and '>' because there should not be evil in a CDATA section update('", another script element whose content is "alert('here i can hijack a session id for example => proof of concept successfull')" and " /*]]>*/ " as a trailing text node. If you echo arbitrary strings into string literals in inline scripts in text/html, the safe course of action (in legacy browsers and in HTML5-compliant browsers) is to escape < as \u003C and not to try to use <![CDATA[ ... ]]> or <!-- ... --> as escapes. Escaping < as \u003C protects both against the injection of the string "</script>" and against the injection of the string "<!--".
Hi i looked at the typo3 side(there it is be fixed) where i have found this bug the first time! There is a xml header with a xhtml doctype and the JS-Tags in the CDATA section is interpreted. Sorry i don't have looked at the header before i notify the bug and i don't have known that CDATA is XML specific. I think tags in a CDATA sections of a xhtml file should not be interpreted this was the originial xhtml header of exploitable side... <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> I've uploaded an example xhtml file, which popup an alert box with the title of a page. the JS is nested in an CDATA section... Filename is: nestedJSInCDATAInXHTML.html
Created attachment 425427 [details] This is an example of a nested JS section in a CDATA field of a xhtml document. And it is interpreted!
(In reply to comment #3) > I think tags in a CDATA sections of a xhtml file should not be interpreted The choice of parser depends on the content type. If you use an XHTML doctype but serve the content as text/html, you get the text/html parser. If you want the XML parser, you need to serve the content as application/xhtml+xml.
yes its right the choice of parser depends on the content type. I suggest to declare this ticket as invalid too. but i thing its confusing for web-developers. It's valid to use content type text/html for a xhtml version 1 document, but its not valid to use some xml suff in there. Additionally the decision of the final content type takes the admin of the webserver and not the developer who has thought he's writing a native xml document. Surely the developer can take an xhtml version higher then 1, but i think many developers think that there xhtml file verion 1 must be sended from the webserver/admin as xml. But this is not a developing issue of the firefox-browser, so i think the bug-report should be invalid! BTW: On this platform the automatic choise for the content type of my uploaded xhtml file (see coment 4) is text/html, as in nearly every system (webserver included).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.