Lachlan Hunt wrote: > Ian Hickson wrote: >> A DOS attack on the server could cause the transmitted text to be: >> >> ... >> <!-- >> <script> hostileScript(): </script> >> >> ...which, if we re-parse the content upon hitting EOF with an open >> comment, would cause the script to be executed. > > I don't understand these security concerns. How is reparsing it after > reaching EOF any different from someone writing exactly the same script > without opening a comment before it? Won't the script be executed in > exactly the same way in both cases?
We're assuming the web app is not going to allow anyone to write the plain <script> tags--a clear XSS risk--and that if it did allow comments it might not sanitize their contents, assuming them to be "safe".
