headers
Maxim Kirillov | 19 Jun 06:09
Favicon

bug: disable-script can miss "</script>"

for this document:
----------------
<html>
<script type="text/javaScript" language="javascript">
    document.write('<input type="hidden" name="oRef" value="' + document.referrer.replace(/"/gi,'')
+ '" />');
</script>
aaa
</html>
-----------------

setting disable-script = on 

produces the following:
----------------------
<html>
<!-- WWWOFFLE (disable-script) - script type="text/javaScript" language="javascript" -->
<!-- WWWOFFLE (disable-script) - ... -->
----------------------

this is wrong.

the real world example is here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=aea55f2f-07b5-4a8c-8a44-b4e1b196d5c0&displaylang=en

looks like parser cannot detect the script end

--

-- 
Max
(Continue reading)

Permalink | Reply |
headers
Andrew M. Bishop | 21 Jun 21:14

Re: bug: disable-script can miss "</script>"

Maxim Kirillov <max630@...> writes:

> for this document:
> ----------------
> <html>
> <script type="text/javaScript" language="javascript">
>     document.write('<input type="hidden" name="oRef" value="' +
document.referrer.replace(/"/gi,'') + '" />');
> </script>
> aaa
> </html>
> -----------------
> 
> setting disable-script = on 
> 
> produces the following:
> ----------------------
> <html>
> <!-- WWWOFFLE (disable-script) - script type="text/javaScript" language="javascript" -->
> <!-- WWWOFFLE (disable-script) - ... -->
> ----------------------
> 
> this is wrong.
> 
> the real world example is here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=aea55f2f-07b5-4a8c-8a44-b4e1b196d5c0&displaylang=en
> 
> looks like parser cannot detect the script end

First let me say that I don't understand Javascript language rules.
(Continue reading)

Permalink | Reply |
headers
Max Kirillov | 23 Jun 06:25
Favicon

Re: bug: disable-script can miss "</script>"

On Thu, Jun 21, 2007 at 08:14:07PM +0100, Andrew M. Bishop wrote:
> WWWOFFLE cannot just match '</script>' within a quoted
> string as being the end of a script because it might not
> be.

http://www.w3.org/TR/html4/appendix/notes.html#notes-specifying-data

--

-- 
Maxim Kirillov
Plesk Developer
SWsoft, Inc.
Permalink | Reply |
headers
Max Kirillov | 23 Jun 06:16
Favicon

Re: bug: disable-script can miss "</script>"

On Thu, Jun 21, 2007 at 08:14:07PM +0100, Andrew M. Bishop wrote:
> WWWOFFLE cannot just match '</script>' within a quoted
> string as being the end of a script because it might not
> be.

I think this is wrong. Not read standards yet, but, by pure
thinking, js syntax must not be a part of html syntax, it is
just encapsulated in a text node. And html syntax does not
have quoted strings.

This doc:
---------------
<html>
<script>
alert("</script>");
</script>
</html>
---------------

caused "unterminated string literal" error in the js console
in firefox.

--

-- 
Max
Permalink | Reply |
headers
Andrew M. Bishop | 23 Jun 20:14

Re: bug: disable-script can miss "</script>"

Max Kirillov <max630@...> writes:

> On Thu, Jun 21, 2007 at 08:14:07PM +0100, Andrew M. Bishop wrote:
> > WWWOFFLE cannot just match '</script>' within a quoted
> > string as being the end of a script because it might not
> > be.
> 
> I think this is wrong. Not read standards yet, but, by pure
> thinking, js syntax must not be a part of html syntax, it is
> just encapsulated in a text node. And html syntax does not
> have quoted strings.
> 
> This doc:
> ---------------
> <html>
> <script>
> alert("</script>");
> </script>
> </html>
> ---------------
> 
> caused "unterminated string literal" error in the js console
> in firefox.

What did it show in the browser?  Did the characters after the
</script> tag '");' show up or not?

Your example in Firefox proves that at least one version of one web
browser will terminate the script parsing when it sees "</script>".
Unfortunately it isn't proof that every browser does the same thing.
(Continue reading)

Permalink | Reply |

Gmane