Hacker News new | comments | show | ask | jobs | submit login

Cant believe nowhere in the article is the tick/grave mentioned ( ` )

That bugger can really do some damage.




I debated whether or not to mention this, and in the end decided I didn't want an in-depth discussion of edge cases to overwhelm the basic message I was trying to get across, which is that context is key.

As far as I know, ` is only an issue when using user input in innerHTML with IE. Are there other situations where it can be harmful?


` can be used in place of single or double quotes around attribute values in IE.


My understanding (and I tested to confirm) is that IE only treats ` as an attribute delimiter when it's assigned to an element's innerHTML value dynamically. So this is important when working with client-side code, but not so much when generating HTML on the server.

Am I wrong?


I just tried the following HTML:

    <input type="text" value=`asdf` />
In IE, the input box contained the string asdf. In other browsers, it contained the string `asdf`


You're right. I was mistakenly testing only a limited case (described at http://html5sec.org/#59). Thanks!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: