|
|
|
|
|
|
by vilhelm_s
4366 days ago
|
|
|
HTML5 aims to specify how to parse broken HTML as well (http://www.whatwg.org/specs/web-apps/current-work/multipage/...), and there should ideally not be any differences between different parsers. The HTML5 specification explicitly asks you to not think about this yourself: "for security reasons, it is imperative that those rules be followed precisely. Differences in how invalid byte sequences are handled can result in, amongst other problems, script injection vulnerabilities ("XSS")". |
|
|