archives

« Bugzilla Issues Index

#463 — String.prototype HTML methods in Annex B should escape " as " in argument values for security reasons

• bug_id: 463
• creation_ts: 2012-07-08 04:56:00 -0700
• short_desc: String.prototype HTML methods in Annex B should escape " as " in argument values for security reasons
• delta_ts: 2012-07-08 15:56:59 -0700
• product: Draft for 6th Edition
• component: technical issue
• version: Rev 8: June 15, 2012 Draft
• rep_platform: All
• op_sys: All
• bug_status: RESOLVED
• resolution: DUPLICATE
• dup_id: 406
• see_also: https://bugzilla.mozilla.org/show_bug.cgi?id=352437
• priority: Normal
• bug_severity: enhancement
• everconfirmed: true
• reporter: Mathias Bynens
• assigned_to: Allen Wirfs-Brock
• cc: mathias

---

• commentid: 1146
• comment_count: 0
• who: Mathias Bynens
• bug_when: 2012-07-08 04:56:11 -0700

Following the algorithms of these methods in the current ES6 draft:

> '_'.link('a"b')
'<a href="a"b">_</a>'

However, this would be a better result:

> '_'.link('a"b')
'<a href="a&quot;b">_</a>'

The problem here is " doesn’t escape into &quot; at the moment, which is a potential security risk (XSS vector).

For this reason, Chrome/V8 escapes " into &quot;. Firefox/Spidermonkey is going to change its behavior to do the same: https://bugzilla.mozilla.org/show_bug.cgi?id=352437 Opera/Carakan will change its behavior too, as soon as other browsers change (bug DSK-369206). The IE bug is here: https://connect.microsoft.com/IE/feedback/details/752391

http://mathias.html5.org/specs/javascript/#escapeattributevalue requires escaping the ".

Tests: http://mathias.html5.org/tests/javascript/string/

Here’s a list of the methods that have this issue:

* String.prototype.anchor(name)
* String.prototype.fontcolor(color)
* String.prototype.fontsize(size)
* String.prototype.link(href)

---

• commentid: 1183
• comment_count: 1
• who: Allen Wirfs-Brock
• bug_when: 2012-07-08 15:56:59 -0700

*** This bug has been marked as a duplicate of bug 406 ***