Stricter attribute parsing

[craigfrancis]

In regards to blocking \n and < in attributes:

https://crbug.com/680970

If an opt-in to stricter parsing of attributes is required, maybe a CSP could be used to say that not only will this website url-encode the attribute values (e.g. using %0A instead of \n), but all attribute values will be quoted, e.g.

<img src=not-valid />
<img src="valid" alt='valid' />

---

As we don't want the attacker providing the opening quote mark themselves:

/path/?q="https://example.com/collect-xss...

As an XSS could add that to the HTML like:

<input name=q value="https://example.com/collect-xss... /> Customer details

---

This should apply to those who use application/xhtml+xml parsing mode as well :-)

<input name="name" id="name" required="required"  />

[mikewest]

I don't intend to address this in CSP3, but I'll leave it open as a future feature request.

@annevk might have opinions about tweaking the parser in general.

[annevk]

I think if you want a stricter HTML (and more control over the output DOM) we should just invest more in XML. We could do things there. The HTML parser is super complex to fiddle with.

[craigfrancis]

I do use XML mode during development, but I always worry about enabling it on a Live website, just incase I miss something.

But as that's kind of the point (website breaks when XML formatting is wrong), maybe it's not worth pursuing (I can't imagine many websites would use this feature).