Certain characters can be used to allow cross-site scripting – Opera Security Advisories


Highly Severe

Problem Description

When accepting HTML content from untrusted users, Web sites sometimes employ some kind of filtering to ensure that the content cannot contain scripts. If the content is to be used inside an HTML attribute, characters that separate attributes need to be filtered out to prevent scripted attributes from being created.


Due to a specification change, characters whose behaviour was previously not defined, and could potentially be treated as attribute separators, no longer should be treated that way. Filters based on the newer specifications may not be aware of the full range of possible characters, and may not filter them completely. This would allow cross site scripting to target browsers, including Opera, that allow the previously undefined characters.

Opera’s Response

Opera Software has released Opera 9.52, where only the list of characters given in the recent specification are treated as attribute separators.


Thanks to Chris Weber of Casaba Security for reporting this issue to Opera Software.