Grave accent (back-tick) IE mXSS protection and implementation in Utils\Html

Member | 27

in Utils\Html – see…ils/Html.php#L560 – I have found (correct me if I am mistaken) a mXSS protection against old IE's bug, causing that IE interprets grave accent ` character the same way as ' or ", so it is possible to terminate attribute sequence and insert custom code (see – English version) – in this case Nette's Html object appends space to the end of the value.

What I don't understand is this condition:

(strpos($value, '`') !== FALSE && strpbrk($value, ' <>"\'') === FALSE ? ' ' : '')

→ which tells me, that if value contains grave accent and does not contains any of [ <>“'], append space, otherwise leave as is. Can somebody explain me why? Is this condition (considering to old IE's mXSS protection) really correct? Shouldn't be space appended when string DOES contains any of these characters? I am really confused. Or is in this condition hidden any other "magic” which I don't see?

Why am I asking such a nitpicker's question? We are using custom system, that partially uses some parts of Nette (Latte, Utils, …), and for some compatibility and imeplementation reasons we are trying to modify our custom forms to behave like Nette's forms – in the meaning of rendering and escaping of characters (and NO, we can't use Nette Forms).
And while looking for how escaping in Nette's Html attributes is implemented, I have found this line of code, that I really don't understand :-)


Member | 2128

Read this commit message:…989448fb9123



Got it. Thanks!

5 years ago