Attribute quoting with backquotes in HTML::Parser

Attribute quoting with backquotes in HTML::Parser

am 06.02.2007 15:55:13 von kappa

Good day!

I searched the archives and didn't find anything. Were there
discussions about supporting weird IE quoting with backquotes
(`a)?

It seems that IE7 continues to implement it so HTML::Parser should
probably too at least with a non-default option.

Currently, it is parsed as `a.

What are the thoughts? Backquotes are mostly used in XSS exploits
nowadays and I have a hard time dealing with such attacks using
HTML::Parser.

--
Alex Kapranoff.

Re: Attribute quoting with backquotes in HTML::Parser

am 06.02.2007 16:41:49 von gisle

On 2/6/07, Alex Kapranoff wrote:
> Good day!
>
> I searched the archives and didn't find anything. Were there
> discussions about supporting weird IE quoting with backquotes
> (`a)?

I never heared a request for that before so I don't think so.

> It seems that IE7 continues to implement it so HTML::Parser should
> probably too at least with a non-default option.
>
> Currently, it is parsed as `a.
>
> What are the thoughts? Backquotes are mostly used in XSS exploits
> nowadays and I have a hard time dealing with such attacks using
> HTML::Parser.

It seems kind of harmless (and easy) to support this so I'm not oposing it.
What "rules" do IE follow when it can't find the matching ending backquote?

--
Gisle Aas

Re: Attribute quoting with backquotes in HTML::Parser

am 06.02.2007 19:03:02 von kappa

* Gisle Aas [February 06 2007, 18:41]:
> On 2/6/07, Alex Kapranoff wrote:
> >Good day!
> >
> >I searched the archives and didn't find anything. Were there
> >discussions about supporting weird IE quoting with backquotes
> >(`a)?
>
> I never heared a request for that before so I don't think so.
>
> >It seems that IE7 continues to implement it so HTML::Parser should
> >probably too at least with a non-default option.
> >
> >Currently, it is parsed as `a.
> >
> >What are the thoughts? Backquotes are mostly used in XSS exploits
> >nowadays and I have a hard time dealing with such attacks using
> >HTML::Parser.
>
> It seems kind of harmless (and easy) to support this so I'm not oposing it.
> What "rules" do IE follow when it can't find the matching ending backquote?

Looks like it doesn't stop at either double or single quote and eats
all the document into the attribute. If there's no closing backquote
or closing angle in the parent tag, the tag is skipped and the parsing
restarts at the next opening angle.

I could not find differences between "backquoting" and normal quoting
with " or '.

--
Alex Kapranoff.