Please also credit nlisgo, akalata, nod_, harjotsingh
because #2120113: XHTML is not a thing anymore, remove <!--//--><![CDATA[//><!-- //--><!]]> for escaping inline JS/CSS
Problem/Motivation
#value_prefix and #value_suffix allow CDATA escaping of inline scripts, which is a security risk and hasn't been applicable since XHTML went away (for IE5 one needed the CDATA XML tags to include javascript on a page.
Proposed resolution
Remove code inserting CDATA values to browser prefix and suffix.
Remaining tasks
User interface changes
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#4 | 2550467.4.patch | 5.56 KB | alexpott |
Comments
Comment #2
manningpete CreditAttribution: manningpete commentedComment #3
alexpottAs per #2120113: XHTML is not a thing anymore, remove <!--//--><![CDATA[//><!-- //--><!]]> for escaping inline JS/CSS the whole CDATA use case is bogus.
Comment #4
alexpottWith this patch the html_tag render element is finally not a sec hole waiting to happen.
Comment #5
manningpete CreditAttribution: manningpete commentedI reviewed the patch and verified it removes the CDATA code. Goodbye, 2000!
Comment #6
YesCT CreditAttribution: YesCT commentedwould be good to credit
nlisgo, akalata, nod_, harjotsingh
this issue is doing more, but also also solving #2120113: XHTML is not a thing anymore, remove <!--//--><![CDATA[//><!-- //--><!]]> for escaping inline JS/CSS
Comment #7
YesCT CreditAttribution: YesCT commentedComment #8
manningpete CreditAttribution: manningpete commentedComment #9
akalata CreditAttribution: akalata commentedSweet!
Comment #10
alexpottAdding people to the commit credit
Comment #11
manningpete CreditAttribution: manningpete commentedComment #13
catchThis looks great.
Going to try a small experiment with d.o issue credit and put both this nid and #2120113: XHTML is not a thing anymore, remove <!--//--><![CDATA[//><!-- //--><!]]> for escaping inline JS/CSS in the commit message.
Committed/pushed to 8.0.x, thanks!