Grave accent (back-tick) IE mXSS protection and implementation in Utils\Html
- lutor
- Member | 27
Hi,
in Utils\Html – see https://github.com/…ils/Html.php#L560 –
I have found (correct me if I am mistaken) a mXSS protection against old
IE's bug, causing that IE interprets grave accent ` character the same way as '
or ", so it is possible to terminate attribute sequence and insert custom code
(see https://html5sec.org/#59 – English version) – in this
case Nette's Html object appends space to the end of the value.
What I don't understand is this condition:
(strpos($value, '`') !== FALSE && strpbrk($value, ' <>"\'') === FALSE ? ' ' : '')
→ which tells me, that if value contains grave accent and does not contains any of [ <>“'], append space, otherwise leave as is. Can somebody explain me why? Is this condition (considering to old IE's mXSS protection) really correct? Shouldn't be space appended when string DOES contains any of these characters? I am really confused. Or is in this condition hidden any other "magic” which I don't see?
Why am I asking such a nitpicker's question? We are using custom system,
that partially uses some parts of Nette (Latte, Utils, …), and for some
compatibility and imeplementation reasons we are trying to modify our custom
forms to behave like Nette's forms – in the meaning of rendering and
escaping of characters (and NO, we can't use Nette Forms).
And while looking for how escaping in Nette's Html attributes is implemented,
I have found this line of code, that I really don't understand :-)
Thanks.