Ok, it's time to get out your baseball bats and try to break open this piñata. This is a little testing ground to see if you can generate a YSOD by breaking the XHTML well-formedness of my hacked WordPress install.
Leave a comment to try and break the site. I'll periodically remove comments here, so try as often as you want with as many dirty tricks as you can (nothing malicious please, just demonstrative). I have a feeling this is opening a can of, well, you know...
The scores so far:
- Sam: 2 (duplicate attributes, two dashes in a XML comment)
- Haruka: 1 (open tags are not closed when WordPress inserts a closing </p> tag)
- Jacques: 1 (invalid Unicode characters)
- Jeff: 1 (Raw text  not escaped)
- Stephen: 1 (A comment hidden inside href is not closed)
- John Bilicki: 1 (XML entities like &foo; not escaped)
- Helder: 1 (Recent comments truncate without completing XML entity)
Comment: <!– foo -- bar –>
Sam, that should now work, see WP trac above.
Here is my test, just being goofy here…
>$%^#%!@#$@$&*&%(%&!#$>a///\\\\\/////\\\\\
< nbsp; & & //
<script >
document.writeln(‘hello world!<br/<\n’);
</script >
Human testing the test page! blah 🙂
document.writeln(‘hello world!\n’);
fubar
bar
<a 7a=”foo”>bar</a>
and
<7a>foo</7a>
both are prevented from breaking the page, unless you are logged in, that is. (In case this is what Jacques tried here: http://blog.codedread.com/xhtml-pinata/#comment-12531
How about this: <a invalid;name=”foo”>bar</a>
bar
How about this: <a invalid#name=”foo”>bar</a>
bar
Another invalid comment: <!– test —>
<? foo ?>
<a href=”foo”>Open link…
Open link…
document.writeln(’hello world!<br/<\n’);
document.writeln(’hello world!<br/<\n’);
<a><strong>
<p>paragraph
<!—<<–>
Waves
Nice one, Haruka! I’ll do some investigation on this – I’m pretty sure it’s an open WP bug (they should be closing your <a> and <strong> tags before inserting the closing </p> tag).
Well, not going to break anything this time 🙂 About this comment escaping and all… wouldn’t it be easier to validate comments against some simple schema (say RelaxNG) and if something is wrong just use htmlspecialchars() or similar on the whole string? That’s all or nothing though… (preview helps with this).
<a href=”<!--foo”>bar</a>
&foo;
<!– foo -- bar –>
Script and CData attempt
// note the unescaped less than…
for(var i = 0; i < 5; i++){
alert("hi!");
}
/>
<p fooo\=\"b” > blah
Ok, i’ve done it!
Let’s try once again