{"id":449,"date":"2008-04-06T13:17:06","date_gmt":"2008-04-06T18:17:06","guid":{"rendered":"http:\/\/blog.codedread.com\/xhtml-pinata\/"},"modified":"2011-12-24T18:53:05","modified_gmt":"2011-12-24T18:53:05","slug":"xhtml-pinata","status":"publish","type":"page","link":"https:\/\/www.codedread.com\/blog\/xhtml-pinata\/","title":{"rendered":"XHTML Pi\u00f1ata"},"content":{"rendered":"<p>Ok, it's time to get out your baseball bats and try to break open this pi\u00f1ata.  This is a little testing ground to see if you can generate a <a href=\"https:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=418305\" title=\"Yellow Screen Of Death\">YSOD<\/a> by breaking the XHTML well-formedness of my hacked WordPress install.<\/p>\n<p><object type=\"image\/svg+xml\" width=\"100\" height=\"100\" align=\"right\" hspace=\"10\" data=\"http:\/\/www.codedread.com\/clipart\/worms.svgz\"><span\/><\/object>Leave a comment to try and break the site.  I'll periodically remove comments here, so try as often as you want with as many dirty tricks as you can (nothing malicious please, just demonstrative).  I have a feeling this is opening a can of, well, you know...<\/p>\n<p>The scores so far:<\/p>\n<ul>\n<li><a href=\"http:\/\/intertwingly.net\/\" title=\"Sam Ruby\">Sam<\/a>:  2 (<a href=\"http:\/\/trac.wordpress.org\/ticket\/6602\">duplicate attributes<\/a>, <a href=\"http:\/\/trac.wordpress.org\/ticket\/6642\">two dashes in a XML comment<\/a>)<\/li>\n<li><a href=\"http:\/\/serenareem.net\/\">Haruka<\/a>: 1 (open tags are not closed when WordPress inserts a closing &#60;\/p> tag)<\/li>\n<li><a href=\"http:\/\/golem.ph.utexas.edu\/~distler\/blog\/index.shtml\" title=\"Jacques Distler\">Jacques<\/a>:  1 (<a href=\"http:\/\/trac.wordpress.org\/ticket\/5998\">invalid Unicode characters<\/a>)<\/li>\n<li><a href=\"http:\/\/blog.codedread.com\/\" title=\"Jeff Schiller\">Jeff<\/a>:  1 (<a href=\"http:\/\/trac.wordpress.org\/ticket\/6583\">Raw text &#38;#xfffe; not escaped<\/a>)<\/li>\n<li><a href=\"http:\/\/blog.codedread.com\/xhtml-pinata\/#comment-12685\" title=\"Stephen\">Stephen<\/a>:  1 (A comment hidden inside href is not closed)<\/li>\n<li><a href=\"http:\/\/blog.codedread.com\/xhtml-pinata\/#comment-13039\" title=\"JohnB\">John Bilicki<\/a>:  1 (XML entities like &#38;foo; not escaped)<\/li>\n<li><a href=\"https:\/\/www.codedread.com\/blog\/xhtml-pinata\/comment-page-1\/#comment-1352\">Helder<\/a>:  1 (Recent comments truncate without completing XML entity)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Ok, it&#8217;s time to get out your baseball bats and try to break open this pi\u00f1ata. This is a little testing ground to see if you can generate a YSOD by breaking the XHTML well-formedness of my hacked WordPress install. Leave a comment to try and break the site. I&#8217;ll periodically remove comments here, so [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-449","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/pages\/449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/comments?post=449"}],"version-history":[{"count":3,"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/pages\/449\/revisions"}],"predecessor-version":[{"id":1035,"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/pages\/449\/revisions\/1035"}],"wp:attachment":[{"href":"https:\/\/www.codedread.com\/blog\/wp-json\/wp\/v2\/media?parent=449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}