W3C home > Mailing lists > Public > public-html@w3.org > April 2008

Re: "/>" (was Re: several messages about New Vocabularies in text/html

From: Bruce Miller <bruce.miller@nist.gov>
Date: Wed, 02 Apr 2008 12:31:59 -0400
To: Henri Sivonen <hsivonen@iki.fi>
Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Message-id: <47F3B4FF.7090301@nist.gov>

Henri Sivonen wrote:
> On Apr 2, 2008, at 19:13, Bruce Miller wrote:
>> Henri Sivonen wrote:
>>> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>>>> I'm trying, but I don't get it.
>>>> I guess you're saying that with something like:
>>>> <script/>
>>>>   do_dangerous_stuff();
>>>> </script>
>>> Gatekeeper applying the rule "/> always closes" would determine that 
>>> do_dangerous_stuff(); is not executable but existing browsers would 
>>> still run it. Of course, this is the wrong way to write a gatekeeper. 
>>> The right way is *never* to pass through original source but to 
>>> always run a parser, followed by sanitizer, followed by serializer. 
>>> However, we can't expect people who write gatekeepers to be competent.
>> Hmm....
>> Can </script> put do_dangerous_stuff(); into a (new) <script>
>> so that "everybody" agrees it's executable?
> Not without creating a gatekeeper problem.

What problem?
They'll treat dangerous stuff as executable whether
they follow the old rules, or the new rules, wont they?

>> What do current browsers do with:
>> <script/>
>>  do_dangerous_stuff();
>> <body>....
>> ?
> The <body> tag becomes part of the script but the script doesn't run, 
> because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1 
> and Opera 9.5 beta.)

I'm tempted to say, "That's a good result"
since the dangerous stuff is not actually executed
according to either old or new rules....
But I suspect you won't be convinced by that... :>
(and I can almost understand why...)

> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E... 

Received on Wednesday, 2 April 2008 16:33:16 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:32 UTC