Hacker News new | past | comments | ask | show | jobs | submit login

Cant believe nowhere in the article is the tick/grave mentioned ( ` )

That bugger can really do some damage.

I debated whether or not to mention this, and in the end decided I didn't want an in-depth discussion of edge cases to overwhelm the basic message I was trying to get across, which is that context is key.

As far as I know, ` is only an issue when using user input in innerHTML with IE. Are there other situations where it can be harmful?

` can be used in place of single or double quotes around attribute values in IE.

My understanding (and I tested to confirm) is that IE only treats ` as an attribute delimiter when it's assigned to an element's innerHTML value dynamically. So this is important when working with client-side code, but not so much when generating HTML on the server.

Am I wrong?

I just tried the following HTML:

    <input type="text" value=`asdf` />
In IE, the input box contained the string asdf. In other browsers, it contained the string `asdf`

You're right. I was mistakenly testing only a limited case (described at http://html5sec.org/#59). Thanks!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact