HTML Standard Tracker

Filter

File a bug

SVNBugCommentTime (UTC)
4076[Authors] [Conformance Checkers] Disallow ` in unquoted attribute values.2009-10-05 03:31
@@ -76754,23 +76754,53 @@ interface <dfn>MessagePort</dfn> {
     followed by zero or more <span title="space character">space
     characters</span>, followed by a single U+003D EQUALS SIGN
     character, followed by zero or more <span title="space
     character">space characters</span>, followed by the <span
     title="syntax-attribute-value">attribute value</span>, which, in
     addition to the requirements given above for attribute values,
     must not contain any literal <span title="space character">space
     characters</span>, any U+0022 QUOTATION MARK (<code>&#x22;</code>)
     characters, U+0027 APOSTROPHE (<code>&#x27;</code>) characters,
     U+003D EQUALS SIGN (<code>=</code>) characters, U+003C LESS-THAN
-    SIGN (<code>&lt;</code>) characters, or U+003E GREATER-THAN SIGN
-    (<code>&gt;</code>) characters, and must not be the empty
-    string.</p>
+    SIGN (<code>&lt;</code>) characters, U+003E GREATER-THAN SIGN
+    (<code>&gt;</code>) characters, or U+0060 GRAVE ACCENT (`)
+    characters, and must not be the empty string.</p>
+
+    <!-- The ` character is in this list on a temporary basis, waiting
+         for IE to fix it's parsing bug whereby it treats ` as an
+         attribute value delimiter. Otherwise, escaping software that
+         tries to be clever and not use quotes when it doesn't need to
+         could be tricked by an attacker.
+
+         Posit a site that allows the user to input text that is used
+         verbatim in two attributes, such that the user can set the
+         first attribute's value to:
+
+            `
+
+         ...and the second to:
+
+            ` onload='...payload...' end=x
+
+         ...with the assumption that the site is going to not quote
+         the first one, and quote the second one with double quotes:
+
+            <body title=` class="` onload='...payload...' end=x">
+
+         In IE, this is treated as:
+
+            <body title=' class="'
+                  onload='...payload...'
+                  end='x"'>
+
+    -->
+
 
     <div class="example">
 
      <p>In the following example, the <code
      title="attr-input-value">value</code> attribute is given
      with the unquoted attribute value syntax:</p>
 
      <pre>&lt;input <em>value=yes</em>&gt;</pre>
 
     </div>
@@ -79146,20 +79176,21 @@ interface <dfn>MessagePort</dfn> {
 
    <dt>U+0027 APOSTROPHE (')</dt>
    <dd>Switch to the <span>attribute value (single-quoted) state</span>.</dd>
 
    <dt>U+003E GREATER-THAN SIGN (&gt;)</dt>
    <dd><span>Parse error</span>. Emit the current tag token. Switch to
    the <span>data state</span>.</dd>
 
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>
 
    <dt>EOF</dt>
    <dd><span>Parse error</span>. Reconsume the EOF character in the
    <span>data state</span>.</dd>
 
    <dt>Anything else</dt>
    <dd>Append the <span>current input character</span> to the current
    attribute's value. Switch to the <span>attribute value (unquoted)
@@ -79241,20 +79272,21 @@ interface <dfn>MessagePort</dfn> {
    being U+003E GREATER-THAN SIGN (&gt;).</dd>
 
    <dt>U+003E GREATER-THAN SIGN (&gt;)</dt>
    <dd>Emit the current tag token. Switch to the <span>data
    state</span>.</dd>
 
    <dt>U+0022 QUOTATION MARK (&quot;)</dt>
    <dt>U+0027 APOSTROPHE (')</dt>
    <dt>U+003C LESS-THAN SIGN (&lt;)</dt>
    <dt>U+003D EQUALS SIGN (=)</dt>
+   <dt>U+0060 GRAVE ACCENT (`)</dt>
    <dd><span>Parse error</span>. Treat it as per the "anything else"
    entry below.</dd>
 
    <dt>EOF</dt>
    <dd><span>Parse error</span>. Reconsume the EOF character in the
    <span>data state</span>.</dd>
 
    <dt>Anything else</dt>
    <dd>Append the <span>current input character</span> to the current attribute's
    value. Stay in the <span>attribute value (unquoted)

|