* Gisle Aas <[EMAIL PROTECTED]> [February 06 2007, 18:41]:
> On 2/6/07, Alex Kapranoff <[EMAIL PROTECTED]> wrote:
> >Good day!
> >
> >I searched the archives and didn't find anything. Were there
> >discussions about supporting weird IE quoting with backquotes
> >(<img alt=`a b c`>)?
> 
> I never heared a request for that before so I don't think so.
> 
> >It seems that IE7 continues to implement it so HTML::Parser should
> >probably too at least with a non-default option.
> >
> >Currently, it is parsed as <img alt="`a" b="b" c`="c`">.
> >
> >What are the thoughts? Backquotes are mostly used in XSS exploits
> >nowadays and I have a hard time dealing with such attacks using
> >HTML::Parser.
> 
> It seems kind of harmless (and easy) to support this so I'm not oposing it.
> What "rules" do IE follow when it can't find the matching ending backquote?

Looks like it doesn't stop at either double or single quote and eats
all the document into the attribute. If there's no closing backquote
or closing angle in the parent tag, the tag is skipped and the parsing
restarts at the next opening angle.

I could not find differences between "backquoting" and normal quoting
with " or '.

-- 
Alex Kapranoff.

Reply via email to