[ac] (0) Disallow ` in unquoted attribute values.

git-svn-id: http://svn.whatwg.org/webapps@4076 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Oct 5, 2009 · 35846c1 · 35846c1
1 parent b8229a0
commit 35846c1
Show file tree

Hide file tree

Showing 2 changed files with 70 additions and 6 deletions.
diff --git a/index b/index
@@ -59367,9 +59367,39 @@ interface <dfn id=messageport>MessagePort</dfn> {
     characters</a>, any U+0022 QUOTATION MARK (<code>"</code>)
     characters, U+0027 APOSTROPHE (<code>'</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>&gt;</code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
+
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
 
     <div class=example>
 
@@ -61481,6 +61511,7 @@ interface <dfn id=messageport>MessagePort</dfn> {
 
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -61561,6 +61592,7 @@ interface <dfn id=messageport>MessagePort</dfn> {
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><a href=#parse-error>Parse error</a>. Treat it as per the "anything else"
    entry below.</dd>
 

diff --git a/source b/source
@@ -76761,9 +76761,39 @@ interface <dfn>MessagePort</dfn> {
     characters</span>, any U+0022 QUOTATION MARK (<code>&#x22;</code>)
     characters, U+0027 APOSTROPHE (<code>&#x27;</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>&gt;</code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
+
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
 
     <div class="example">
 
@@ -79153,6 +79183,7 @@ interface <dfn>MessagePort</dfn> {
 
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>
 
@@ -79248,6 +79279,7 @@ interface <dfn>MessagePort</dfn> {
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>