[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: What characters can go into a CDATA section and acomment?

• From: "Liam R. E. Quin" <liam@fromoldbooks.org>
• To: Peter Flynn <peter@silmaril.ie>, xml-dev@l...
• Date: Thu, 24 Mar 2022 10:52:40 -0400

On Thu, 2022-03-24 at 08:28 +0000, Peter Flynn wrote:
> 
> CDATA sections are also used by many web developers unsure of exactly
> /what/ a user is going to input, and exactly /when/ in subsequent 
> non-XML processes the markup is going to be stripped, so they use it
> as 
> a safety-net of last resort, which often goes wrong; 

Yup, this is why CDATA injection attacks are a thing.

Little Bobby Tables now works as a back end developer...


-- 
Liam Quin, https://www.delightfulcomputing.com/
Available for XML/Document/Information Architecture/XSLT/
XSL/XQuery/Web/Text Processing/A11Y training, work & consulting.
Barefoot Web-slave, antique illustrations:  http://www.fromoldbooks.org

• References:
  • What characters can go into a CDATA section and a comment? (I foundinconsistencies)
    • From: Roger L Costello <costello@mitre.org>
  • Re: What characters can go into a CDATA section and acomment? (I found inconsistencies)
    • From: Mukul Gandhi <mukulg@softwarebytes.org>
  • Re: What characters can go into a CDATA section and acomment? (I found inconsistencies)
    • From: Peter Flynn <peter@silmaril.ie>