Securing HTML vs securing HTTP

Jens Alfke jens at
Mon Jan 23 19:48:43 UTC 2006

On 23 Jan '06, at 10:52 AM, Brad Fitzpatrick wrote:

> Likewise, the Perl implementation ignores everything past the </head>.

How does it find the end of the head element? Is it using a full HTML  
parser? If not, is it smart enough recognize </HEAD> or </ HEAD> or  
any other accepted syntax?

There's also the issue of CDATA in the page title:
	<title><![CDATA[GullibleWiki -- Muahaha rel="openid.server"  

In this case the attacker used a wiki-like app to create a page whose  
title contains an OpenID link. An OpenID client that didn't  
understand CDATA would think this page represented a valid identity.

It might be good to have a test suite of pages like my examples that  
try to fool the link detector.

> Presumably blog/CMS software is safer with its global template than  
> the stuff inside the body.

Yes, in that the admin has to install a plugin or theme to alter it.  
Of course, people tend to be pretty cavalier about installing themes  
— they're thinking more about aesthetics than security. In the case  
of Drupal, themes unfortunately get to generate all of the HTML  
including the <head>. Not sure about other CMS/blog engines.


More information about the yadis mailing list