[e] (0) Raise the profile of a note to the level of a warning, since …

…what it is talking about could result in XSS. Fixing http://www.w3.org/Bugs/Public/show_bug.cgi?id=11668 git-svn-id: http://svn.whatwg.org/webapps@5839 340c8d12-0b0e-0410-8428-c7bf67bfef74
whatwg · Feb 7, 2011 · cd07bf1 · cd07bf1
1 parent 600575d
commit cd07bf1
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 45 deletions.
diff --git a/complete.html b/complete.html
@@ -84802,22 +84802,40 @@ <h3 id=serializing-html-fragments><span class=secno>12.3 </span>Serializing HTML
   </ol><p class=note>Entity reference nodes are <a href=#entity-references>assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class=note>It is possible that the output of this algorithm, if
+  <p class=warning>It is possible that the output of this algorithm, if
   parsed with an <a href=#html-parser>HTML parser</a>, will not return the
-  original tree structure. For instance, if a <code><a href=#the-textarea-element>textarea</a></code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--&gt;</code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code><a href=#script>script</a></code> element contain a text node with the text string
-  "<code>&lt;/script&gt;</code>", or having a <code><a href=#the-p-element>p</a></code> element that
-  contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code> element's
-  <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would imply the end
-  tag for the <code><a href=#the-p-element>p</a></code>).</p>
+  original tree structure.</p>
+
+  <div class=example>
+
+   <p>For instance, if a <code><a href=#the-textarea-element>textarea</a></code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--&gt;</code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code><a href=#script>script</a></code> element
+   contain a text node with the text string
+   "<code>&lt;/script&gt;</code>", or having a <code><a href=#the-p-element>p</a></code> element
+   that contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code>
+   element's <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would
+   imply the end tag for the <code><a href=#the-p-element>p</a></code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
+   which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
+   IDL attribute to get the HTML serialization of that
+   <code><a href=#the-style-element>style</a></code> element: if the user enters
+   "<code>&lt;/style&gt;&lt;script&gt;attack&lt;/script&gt;</code>" as a font
+   name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
+   markup that, if parsed in a different context, would contain a
+   <code><a href=#script>script</a></code> node, even though no <code><a href=#script>script</a></code> node
+   existed in the original DOM.</p>
+
+  </div>
 
   <p><dfn id=escapingString>Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following

diff --git a/index b/index
@@ -80773,22 +80773,40 @@ document.body.appendChild(text);
   </ol><p class=note>Entity reference nodes are <a href=#entity-references>assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class=note>It is possible that the output of this algorithm, if
+  <p class=warning>It is possible that the output of this algorithm, if
   parsed with an <a href=#html-parser>HTML parser</a>, will not return the
-  original tree structure. For instance, if a <code><a href=#the-textarea-element>textarea</a></code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--&gt;</code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code><a href=#script>script</a></code> element contain a text node with the text string
-  "<code>&lt;/script&gt;</code>", or having a <code><a href=#the-p-element>p</a></code> element that
-  contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code> element's
-  <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would imply the end
-  tag for the <code><a href=#the-p-element>p</a></code>).</p>
+  original tree structure.</p>
+
+  <div class=example>
+
+   <p>For instance, if a <code><a href=#the-textarea-element>textarea</a></code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--&gt;</code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code><a href=#script>script</a></code> element
+   contain a text node with the text string
+   "<code>&lt;/script&gt;</code>", or having a <code><a href=#the-p-element>p</a></code> element
+   that contains a <code><a href=#the-ul-element>ul</a></code> element (as the <code><a href=#the-ul-element>ul</a></code>
+   element's <a href=#syntax-start-tag title=syntax-start-tag>start tag</a> would
+   imply the end tag for the <code><a href=#the-p-element>p</a></code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code><a href=#the-style-element>style</a></code> block via the DOM and
+   which then uses the <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code>
+   IDL attribute to get the HTML serialization of that
+   <code><a href=#the-style-element>style</a></code> element: if the user enters
+   "<code>&lt;/style&gt;&lt;script&gt;attack&lt;/script&gt;</code>" as a font
+   name, <code title=dom-innerHTML><a href=#dom-innerhtml>innerHTML</a></code> will return
+   markup that, if parsed in a different context, would contain a
+   <code><a href=#script>script</a></code> node, even though no <code><a href=#script>script</a></code> node
+   existed in the original DOM.</p>
+
+  </div>
 
   <p><dfn id=escapingString>Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following

diff --git a/source b/source
@@ -95992,22 +95992,40 @@ document.body.appendChild(text);
   href="#entity-references">assumed to be expanded</a> by the user
   agent, and are therefore not covered in the algorithm above.</p>
 
-  <p class="note">It is possible that the output of this algorithm, if
+  <p class="warning">It is possible that the output of this algorithm, if
   parsed with an <span>HTML parser</span>, will not return the
-  original tree structure. For instance, if a <code>textarea</code>
-  element to which a <code title="">Comment</code> node has been
-  appended is serialized and the output is then reparsed, the comment
-  will end up being displayed in the text field. Similarly, if, as a
-  result of DOM manipulation, an element contains a comment that
-  contains the literal string "<code title="">--&gt;</code>", then
-  when the result of serializing the element is parsed, the comment
-  will be truncated at that point and the rest of the comment will be
-  interpreted as markup. More examples would be making a
-  <code>script</code> element contain a text node with the text string
-  "<code>&lt;/script></code>", or having a <code>p</code> element that
-  contains a <code>ul</code> element (as the <code>ul</code> element's
-  <span title="syntax-start-tag">start tag</span> would imply the end
-  tag for the <code>p</code>).</p>
+  original tree structure.</p>
+
+  <div class="example">
+
+   <p>For instance, if a <code>textarea</code> element to which a
+   <code title="">Comment</code> node has been appended is serialized
+   and the output is then reparsed, the comment will end up being
+   displayed in the text field. Similarly, if, as a result of DOM
+   manipulation, an element contains a comment that contains the
+   literal string "<code title="">--&gt;</code>", then when the result
+   of serializing the element is parsed, the comment will be truncated
+   at that point and the rest of the comment will be interpreted as
+   markup. More examples would be making a <code>script</code> element
+   contain a text node with the text string
+   "<code>&lt;/script></code>", or having a <code>p</code> element
+   that contains a <code>ul</code> element (as the <code>ul</code>
+   element's <span title="syntax-start-tag">start tag</span> would
+   imply the end tag for the <code>p</code>).</p>
+
+   <p>This can enable cross-site scripting attacks. An example of this
+   would be a page that lets the user enter some font names that are
+   then inserted into a CSS <code>style</code> block via the DOM and
+   which then uses the <code title="dom-innerHTML">innerHTML</code>
+   IDL attribute to get the HTML serialization of that
+   <code>style</code> element: if the user enters
+   "<code>&lt;/style>&lt;script>attack&lt;/script></code>" as a font
+   name, <code title="dom-innerHTML">innerHTML</code> will return
+   markup that, if parsed in a different context, would contain a
+   <code>script</code> node, even though no <code>script</code> node
+   existed in the original DOM.</p>
+
+  </div>
 
   <p><dfn id="escapingString">Escaping a string</dfn> (for the
   purposes of the algorithm above) consists of running the following