Severity
Highly Severe
Problem Description
When accepting HTML content from untrusted users, Web sites sometimes employ some kind of filtering to ensure that the content cannot contain scripts. If the content is to be used inside an HTML attribute, characters that separate attributes need to be filtered out to prevent scripted attributes from being created.
Due to a specification change, characters whose behaviour was previously not defined, and could potentially be treated as attribute separators, no longer should be treated that way. Filters based on the newer specifications may not be aware of the full range of possible characters, and may not filter them completely. This would allow cross site scripting to target browsers, including Opera, that allow the previously undefined characters.
Opera’s Response
Opera Software has released Opera 9.52, where only the list of characters given in the recent specification are treated as attribute separators.
Credits
Thanks to Chris Weber of Casaba Security for reporting this issue to Opera Software.