I don t know what you mean by ‘vulnerability’, but there is one mistake many people make with CDATA sections. This happens when a lazy programmer doesn t really understand text-escaping, and tries to avoid the normal process of &
-encoding special characters in XML. They think they can get away with:
print "<element><![CDATA["+textstring+"]]></element>";
and whilst this will indeed stop a <
or &
character in textstring
being treated as markup, it s not watertight because textstring might contain a ]]>
sequence, resulting in:
<element><![CDATA[ Foo ]]> <bar>I m an unexpected element!</bar> ]]></element>
This is an XML-injection, which like an HTML-injection could potentially have an XSS-like security impact.
So you d still need to escape some sequences in CDATA (usually, you would split a ]]>
sequence between two CDATA sections). In practice that makes using CDATA no easier than just &
-encoding your text content the normal way. So really there is no reason ever to use a CDATA section.