W3C home > Mailing lists > Public > public-html-diffs@w3.org > April 2009

W3C policy: fear of change, caution to the point of paralysis. Let's change the world, but without taking any risks! (whatwg r2973)

From: poot <cvsmail@w3.org>
Date: Thu, 23 Apr 2009 07:21:54 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090422222154.5C8462BC75@toro.w3.mag.keio.ac.jp>
W3C policy: fear of change, caution to the point of paralysis. Let's
change the world, but without taking any risks! (whatwg r2973)

References
http://people.w3.org/mike/diffs/html5/webstorage/Overview.1.26.html#references
7.4 SQL and user agents
http://people.w3.org/mike/diffs/html5/webstorage/Overview.1.26.html#sql-and-user-agents
7.3 Implementation risks
http://people.w3.org/mike/diffs/html5/webstorage/Overview.1.26.html#implementation-risks
7.5 SQL injection
http://people.w3.org/mike/diffs/html5/webstorage/Overview.1.26.html#sql-injection

http://people.w3.org/mike/diffs/html5/webstorage/Overview.diff.html
http://dev.w3.org/cvsweb/html5/webstorage/Overview.html?r1=1.25&r2=1.26&f=h
http://html5.org/tools/web-apps-tracker?from=2972&to=2973

===================================================================
RCS file: /sources/public/html5/webstorage/Overview.html,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- Overview.html	22 Apr 2009 19:26:16 -0000	1.25
+++ Overview.html	22 Apr 2009 22:21:30 -0000	1.26
@@ -1,4 +1,4 @@
-<!DOCTYPE html><!-- when publishing, change bits marked ZZZ --><html lang=en-US-x-Hixie><title>Web Storage</title><style type=text/css>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><!-- when publishing, change bits marked ZZZ --><html lang="en-US-x-Hixie"><title>Web Storage</title><style type="text/css">
    pre { margin-left: 2em; white-space: pre-wrap; }
    h2 { margin: 3em 0 1em 0; }
    h3 { margin: 2.5em 0 1em 0; }
@@ -142,50 +142,50 @@
      -webkit-column-width: 25em;
      -webkit-column-gap: 1em;
    }
-  </style><link href=http://www.w3.org/StyleSheets/TR/W3C-WD rel=stylesheet type=text/css><!-- ZZZ ED vs WD --><div class=head>
-   <p><a href=http://www.w3.org/><img alt=W3C height=48 src=http://www.w3.org/Icons/w3c_home width=72></a></p>
[...1282 lines suppressed...]
   features are letting hostile sites read information from other
   domains, and letting hostile sites write information that is then
   read from other domains.<p>Letting third-party sites read data that is not supposed to be
@@ -1302,13 +1302,13 @@
   user's wishlist; or a hostile site could set a user's session
   identifier to a known ID that the hostile site can then use to track
   the user's actions on the victim site.<p>Thus, strictly following the <span>origin</span> model described
-  in this specification is important for user security.<h3 id=sql-and-user-agents><span class=secno>7.4 </span>SQL and user agents</h3><p>User agent implementors are strongly encouraged to audit all
+  in this specification is important for user security.<h3 id="sql-and-user-agents"><span class="secno">7.4 </span>SQL and user agents</h3><p>User agent implementors are strongly encouraged to audit all
   their supported SQL statements for security implications. For
   example, <code title="">LOAD DATA INFILE</code> is likely to pose
   security risks and there is little reason to support it.<p>In general, it is recommended that user agents not support
   features that control how databases are stored on disk. For example,
   there is little reason to allow Web authors to control the character
   encoding used in the disk representation of the data, as all data in
-  JavaScript is implicitly UTF-16.<h3 id=sql-injection><span class=secno>7.5 </span>SQL injection</h3><p>Authors are strongly recommended to make use of the <code title="">?</code> placeholder feature of the <code title=dom-sqltransaction-executeSql><a href=#dom-sqltransaction-executesql>executeSql()</a></code> method,
-  and to never construct SQL statements on the fly.<h2 class=no-num id=references>References</h2><p class=big-issue>This section will be written in a future
+  JavaScript is implicitly UTF-16.<h3 id="sql-injection"><span class="secno">7.5 </span>SQL injection</h3><p>Authors are strongly recommended to make use of the <code title="">?</code> placeholder feature of the <code title="dom-sqltransaction-executeSql"><a href="#dom-sqltransaction-executesql">executeSql()</a></code> method,
+  and to never construct SQL statements on the fly.<h2 class="no-num" id="references">References</h2><p class="big-issue">This section will be written in a future
   draft.<!--XXX-->
Received on Wednesday, 22 April 2009 22:22:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 18 December 2010 06:14:04 GMT