Closed Bug 867380 Opened 12 years ago Closed 12 years ago

weird parser quirk with <!> tags being ignored in script

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Platform:
Other
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: freddy, Unassigned)

References

Details

to quote from twitter (https://twitter.com/0x6D6172696F/status/329298962395824128): > <svg><script>a<!>l<!>e<!>r<!>t<!>(<!>1<!>)</script> (first greater-than sign for bugzilla style quoting, we start at less-than+svg...) this HTML snippet is said to work on all modern browsers, basically executing alert(1). Although, I don't really understand what's going on there, I guess it might be worth to reconsider this behavior :)
Component: XML → SVG
Nothing too mysterious here. When <svg:script>'s contents are parsed, the <!> become comments. You could make it more clear like so: <svg><script>ale<!-- Hey there-->rt(1);</script> You can do this with HTML scripts too, but you have to produce the comment nodes inside by hand, because <html:script> tokenizes its contents as CDATA, more or less. The only thing that could be reconsidered here, I guess is how stuff inside <svg:script> is tokenized, and there are backwards compat constraints on it. Given that there are already incredibly fun ways to obfuscate JS, I'm not sure it's worth changing the behavior here in any way, honestly.
Component: SVG → HTML: Parser
Not a bug. As for the "xss" keyword, if you are echoing untrusted content to the Web from your origin, you are doing it wrong unless you use an HTML parser, drop everything from the whitelist output that's not on a whitelist and then reserialized the filtered data.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.