552137 - [HTML5] Normal characters dropped in innerHTML setter when surrounded by U+0000

Status: RESOLVED DUPLICATE of bug 566280

(Core :: DOM: HTML Parser, defect)

Description

[Steve Roussey (:sroussey)]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: 

When parsing, a text nodes starting with a null character will have them removed.

Reproducible: Always

Steps to Reproduce:
In an empty doc like <html><body></body></html> try this:

document.body.innerHTML="\0asdf\0"

results in:

document.body.textContent.length == 5


while 


document.body.textContent="\0asdf\0"

results in:

document.body.textContent.length == 6





Firebug bug reference: http://code.google.com/p/fbug/issues/detail?id=2917

Comment 1

[Boris Zbarsky [:bzbarsky]]

With which parser?  If it's only happening with the non-HTML5 parser, I don't think we care...

Comment 2

[Steve Roussey (:sroussey)]

I haven't done anything to enable the HTML5 parser, and Firebug certainly isn't running using it, as far as I know.

Comment 3

[Steve Roussey (:sroussey)]

For the HTML5 parser:

document.body.innerHTML="\0asdf\0"

results in:

document.body.textContent.length == 2

which is worse...

Comment 4

[WADA:World Anti-bad-Duping Agency]

Attachment: Simple html/script to see rendering result and escaped content value

Check results by attached simple HTML and script, to see rendering result and escaped content value.  Following is obj.textContent.length, escape(obj.textContent), escape(obj.innerHTML) values.

HTML5 is disabled.
  innerHTML="\0asdf\0"
    => 5 / asdf%uFFFD / asdf%uFFFD
  textContent="\0asdf\0"
    => 6 / %00asdf%00 / %00asdf%00
HTML5 is enabled.
  innerHTML="\0asdf\0"
    => 2 / %uFFFD%uFFFD / %uFFFD%uFFFD
  textContent="\0asdf\0"
    => 6 / %00asdf%00 / %00asdf%00

HTML5 is disabled:
   Parser looks to discard first 0x00, replace last 0x00 by U+FFFD.
HTML5 is enabled:
   Parser replaces 0x00+asd by U+FFFD and f+0x00 by U+FFFD?
What is correct handling of 0x00 in HTML source?

If a script uses obj.innerHTML to put special binary like "\0" in a text node, I think it can be said wrong use or misuse of DOM property by the script.

Comment 5

[Henri Sivonen (:hsivonen)]

(In reply to comment #4)
> HTML5 is enabled:
>    Parser replaces 0x00+asd by U+FFFD and f+0x00 by U+FFFD?

That's odd.

> What is correct handling of 0x00 in HTML source?

The correct handling per HTML5 is replacing U+0000 with U+FFFD.

The rationale is defense in depth. If the HTML5 dropped \0 but black-listing naive intermediate security enforcers didn't, an attacker could insert \0 to bypass blacklists. (Whitelists would be better of course, hence defense in depth as opposed to just defense.)

See also http://www.w3.org/Bugs/Public/show_bug.cgi?id=9096

Comment 6

[Steve Roussey (:sroussey)]

So is there a way in html to display the code marker for \u0000 the way we can in JS via document.body.textContent="\0" ?

Comment 7

[WADA:World Anti-bad-Duping Agency]

(In reply to comment #6)

<p>&#0;asdf&#0;</p> == <p>&#x0000;asdf&#x0000;</p>
== obj.textContent="\0asdf\0";, if HTML5 is disabled.
If HTML5 is enabled, &#0; / &#x0000; was converted to U+FFFD. 

Escaped values: (checked with Fx 3.6.0 on MS Win-XP SP3)
HTML5 is disabled :  6 / %00asdf%00       / %00asdf%00
HTML5 is enabled  :  6 / %uFFFDasdf%uFFFD / %uFFFDasdf%uFFFD

Comment 8

[Henri Sivonen (:hsivonen)]

Duplicating forward, because the newer bug has a fix.

Comment 9

[Boris Zbarsky [:bzbarsky]]

> So is there a way in html to display the code marker for \u0000 the way we can
> in JS via document.body.textContent="\0" ?

No.  Why would you need it?