W3C home > Mailing lists > Public > public-html@w3.org > April 2008

Re: "/>" (was Re: several messages about New Vocabularies in text/html

From: Bruce Miller <bruce.miller@nist.gov>
Date: Wed, 02 Apr 2008 12:13:51 -0400
To: Henri Sivonen <hsivonen@iki.fi>
Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Message-id: <47F3B0BF.1070202@nist.gov>

Henri Sivonen wrote:
> 
> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>> I'm trying, but I don't get it.
>> I guess you're saying that with something like:
>> <script/>
>>    do_dangerous_stuff();
>> </script>
> Gatekeeper applying the rule "/> always closes" would determine that 
> do_dangerous_stuff(); is not executable but existing browsers would 
> still run it. Of course, this is the wrong way to write a gatekeeper. 
> The right way is *never* to pass through original source but to always 
> run a parser, followed by sanitizer, followed by serializer. However, we 
> can't expect people who write gatekeepers to be competent.

Hmm....
Can </script> put do_dangerous_stuff(); into a (new) <script>
so that "everybody" agrees it's executable?

What do current browsers do with:
 <script/>
   do_dangerous_stuff();
 <body>....
?

-- 
bruce.miller@nist.gov
http://math.nist.gov/~BMiller/
Received on Wednesday, 2 April 2008 16:15:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 29 September 2014 09:38:54 UTC