Included below are some e-mails regarding how to parse comments. They
point out inconsistencies between browsers and the spec. These
inconsistencies were known when the spec was written. Browsers aren't
consistent with each other either. I'd rather leave the parser spec stable
here for a while
On Mon, 23 Jan 2006, Lachlan Hunt wrote:
>
> I don't understand these security concerns. How is reparsing it after
> reaching EOF any different from someone writing exactly the same script
> without opening a comment before it? Won't the script be executed in exactly
> the same way in both cases
Lachlan Hunt wrote:
> Ian Hickson wrote:
>> A DOS attack on the server could cause the transmitted text to be:
>>
>>...
>>
Ian Hickson wrote:
Imagine that the page contains the following:
...
...
...where "hostileScript()" is some script that does something bad.
A DOS attack on the server could cause the transmitted text to be:
...
On Sat, 21 Jan 2006, Anne van Kesteren wrote:
>
> Quoting Anne van Kesteren <[EMAIL PROTECTED]>:
> > However, from the specification it is not entirely clear what should happen
> > with EOF
...in Mozilla in quirks mode, is treated as one long comment, but this:
EOFComment " a > "
On Sat, 21 Jan 2006, Anne van Kesteren wrote:
>
> Given the new parsing rules for comments (all those internal discussions...) I
> was trying to write some testcases for how they are defined now.
>
> # PASS. Well, perhaps it is, but then I'd like that to be
> changed. If we take the problematic
Quoting Anne van Kesteren <[EMAIL PROTECTED]>:
However, from the specification it is not entirely clear what should
happen with
Given the new parsing rules for comments (all those internal discussions...) I
was trying to write some testcases for how they are defined now.
# PASS. Well, perhaps it is, but then I'd like that to be changed. If we take
the problematic snippet:
# PASSFAIL" for:
#