Closed Bug 634536 Opened 13 years ago Closed 13 years ago

Firefox 3.6 should have the same html comment parsing behaviour as the 4 beta

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
1.9.2 Branch
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED DUPLICATE of bug 214476

People

(Reporter: db.pub.mail, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101210 4
Build Identifier: Magic ponies!

Firefox 3.6 should have the same html comment parsing behaviour as the 4 beta.

Yes I know about bugs https://bugzilla.mozilla.org/show_bug.cgi?id=584000, https://bugzilla.mozilla.org/show_bug.cgi?id=102127 etc.
and that '--' shouldn't be allowed in html comments.
However, <!-- stupidbutok > <script>alert('gotcha!');</script> -->
will show an alert dialogue with 'gotcha!' in it in firefox 3.6 but not in the latest firefox 4 beta builds.

http://www.w3.org/TR/html5/Overview.html#comments - states that 
"Finally, the comment must be ended by the three character sequence U+002D HYPHEN-MINUS, U+002D HYPHEN-MINUS, U+003E GREATER-THAN SIGN (-->)."
Chrome and firefox4 meet requirement - but firefox 3.6 doesn't.


---
Also of note:
<!-- okfineletsbreakoutandxssmaybe -- % > <script>alert('gotcha!');</script> -->
also works fine in firefox 3.6 .


This is probably just a minor problem(like all the other html parsing bugs) and not really of concern. 



Reproducible: Always
You're looking for bug 214476, really. This was fixed by the new HTML5 parser, which is only available by default in Firefox 4. We're not going to backport it.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Component: Security → HTML: Parser
Product: Firefox → Core
QA Contact: firefox → parser
Resolution: --- → WONTFIX
See Also: → SGMLComment
Version: unspecified → 1.9.2 Branch
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WONTFIX → ---
Reed: probably not your place to decide WONTFIX on parser bugs. We could conceivably take the comment patch in bug 214476 on older branches without backporting the entire html5 parser, for example. We probably won't with Firefox 4 around the corner, but if all other browsers AND the latest Firefox parser comments the html5 way rather than the standard (but not followed) html4 way there may be even more pages broken in 3.6 in the future. If that's the case we may well want to do it before this causes a security problem for some site.

But better to advocate that in the bug with a patch.
Status: REOPENED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.