Closed
Bug 634536
Opened 14 years ago
Closed 14 years ago
Firefox 3.6 should have the same html comment parsing behaviour as the 4 beta
Categories
(Core :: DOM: HTML Parser, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 214476
People
(Reporter: db.pub.mail, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101210 4
Build Identifier: Magic ponies!
Firefox 3.6 should have the same html comment parsing behaviour as the 4 beta.
Yes I know about bugs https://bugzilla.mozilla.org/show_bug.cgi?id=584000, https://bugzilla.mozilla.org/show_bug.cgi?id=102127 etc.
and that '--' shouldn't be allowed in html comments.
However, <!-- stupidbutok > <script>alert('gotcha!');</script> -->
will show an alert dialogue with 'gotcha!' in it in firefox 3.6 but not in the latest firefox 4 beta builds.
http://www.w3.org/TR/html5/Overview.html#comments - states that
"Finally, the comment must be ended by the three character sequence U+002D HYPHEN-MINUS, U+002D HYPHEN-MINUS, U+003E GREATER-THAN SIGN (-->)."
Chrome and firefox4 meet requirement - but firefox 3.6 doesn't.
---
Also of note:
<!-- okfineletsbreakoutandxssmaybe -- % > <script>alert('gotcha!');</script> -->
also works fine in firefox 3.6 .
This is probably just a minor problem(like all the other html parsing bugs) and not really of concern.
Reproducible: Always
Comment 1•14 years ago
|
||
You're looking for bug 214476, really. This was fixed by the new HTML5 parser, which is only available by default in Firefox 4. We're not going to backport it.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Component: Security → HTML: Parser
Product: Firefox → Core
QA Contact: firefox → parser
Resolution: --- → WONTFIX
See Also: → SGMLComment
Version: unspecified → 1.9.2 Branch
Updated•14 years ago
|
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WONTFIX → ---
Comment 2•14 years ago
|
||
Reed: probably not your place to decide WONTFIX on parser bugs. We could conceivably take the comment patch in bug 214476 on older branches without backporting the entire html5 parser, for example. We probably won't with Firefox 4 around the corner, but if all other browsers AND the latest Firefox parser comments the html5 way rather than the standard (but not followed) html4 way there may be even more pages broken in 3.6 in the future. If that's the case we may well want to do it before this causes a security problem for some site.
But better to advocate that in the bug with a patch.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•