On Thu, Feb 4, 2010 at 12:44 PM, Michal Zalewski <lcam...@coredump.cx> wrote: > The same argument could be made for not escaping <, but I don't think > it's valid in practice - particularly for (hypothetically) constrained > input fields.
The use-cases for srcdoc are only where you expect HTML input. HTML input is very likely to contain " or '. By contrast, ordinary XSS usually occurs when < is unlikely to occur in legitimate input, so you won't spot it right away -- as you say, constrained input fields. Why would anyone, even someone who's extremely confused and/or ignorant, even *attempt* to use srcdoc to contain anything other than HTML?