this function replaces some known chars that will affect the parsing of the html5 template page. for example, some version of IE will strip out the null character leading to vulnerability
taking this as an example:
<\x00script>alert(0);
if the browser is complied with the html5 spec, the \x00 char is replaced by the \ufffd and considered as the tagname, however, in IE, the \x00 will be striped, leading to the execution of the js.
the idea of this function is to replace some known chars to achieve browser implementation consistency when we are parsing the template file.
yahoocla
commented
9 years ago
this function replaces some known chars that will affect the parsing of the html5 template page. for example, some version of IE will strip out the null character leading to vulnerability
taking this as an example: <\x00script>alert(0);
if the browser is complied with the html5 spec, the \x00 char is replaced by the \ufffd and considered as the tagname, however, in IE, the \x00 will be striped, leading to the execution of the js.
the idea of this function is to replace some known chars to achieve browser implementation consistency when we are parsing the template file.