11668 – Make the following note into a security warning: "It is possible that the output of this algorithm, if parsed with an HTML parser, will not return the original tree structure." and add an example of an attack (ack Eduardo Vela Nava)

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 11668 - Make the following note into a security warning: "It is possible that the output of this algorithm, if parsed with an HTML parser, will not return the original tree structure." and add an example of an attack (ack Eduardo Vela Nava)

Summary: Make the following note into a security warning: "It is possible that the out...

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	LC1 HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	Other other

Importance:	P3 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:	http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-01-04 21:54 UTC by contributor
Modified:	2011-08-04 05:12 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description contributor 2011-01-04 21:54:48 UTC

Specification: http://www.whatwg.org/specs/web-apps/current-work/complete/the-end.html
Section: http://www.whatwg.org/specs/web-apps/current-work/#serializing-html-fragments

Comment:
Make the following note into a security warning: "It is possible that the
output of this algorithm, if parsed with an HTML parser, will not return the
original tree structure." and add an example of an attack (ack Eduardo Vela
Nava)

Posted from: 216.239.45.4 by ian@hixie.ch

Comment 1 Ian 'Hixie' Hickson 2011-01-04 22:00:24 UTC

An example would be a page that lets the user enter some font names that are then inserted into a CSS <style> block via the DOM and which then uses innerHTML to get the HTML serialisation of that <style> block. If the user enters "</style><script>attack</script>" as a font name, innerHTML will return markup that contains a <script> node, even though no <script> node existed in the original DOM.

Comment 2 Ian 'Hixie' Hickson 2011-02-07 22:33:21 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: see diff given below
Rationale: Concurred with reporter's comments.

Comment 3 contributor 2011-02-07 22:34:50 UTC

Checked in as WHATWG revision r5839.
Check-in comment: Raise the profile of a note to the level of a warning, since what it is talking about could result in XSS.
http://html5.org/tools/web-apps-tracker?from=5838&to=5839

Comment 4 Michael[tm] Smith 2011-08-04 05:12:43 UTC

mass-move component to LC1