W3C home > Mailing lists > Public > public-html@w3.org > April 2010

Re: Issue 100 Zero-Edits Counter Proposal

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Wed, 14 Apr 2010 17:13:33 -0700
Message-ID: <y2ndd0fbad1004141713jd4d094adm60918fc4972b91b0@mail.gmail.com>
To: Shelley Powers <shelley.just@gmail.com>
Cc: Julian Reschke <julian.reschke@gmx.de>, public-html@w3.org
On Wed, Apr 14, 2010 at 5:02 PM, Shelley Powers <shelley.just@gmail.com> wrote:
> Most of Wordpress's problem in the past has been problems with SQL
> Injection. I know, I found and fixed more than a few when I had forked
> the application at one point.
> When you say long history, do you have specifics? Links? I had the
> creator of Wordpress, Matt Mullenweg, respond to the necessity of
> having to provide a srcdoc attribute, in which to stuff comments so
> that we may be protected. He did not indicate interest.

Google "wordpress xss vulnerability" for a long list of examples.

> Perhaps you can find other weblog software developers and see if
> they're interested. Or, since Ian stated that this attribute was for a
> specific use case, ask him to provide documentation backing up the use
> case: a request from a weblog developer, a commitment from tool
> developers to use it. Something tangible.
> I've been working with weblogging software for a decade, and though I
> may not be considered expert enough for this organization, I am fairly
> comfortable stating that people who work with weblogging
> templates--either authors, or tool or template builders, are highly
> unlikely to use this attribute.

As someone who writes webpages regularly, and is currently writing Yet
Another Homebrew Blogging Platform for himself, I'd totally use this.
It'd make my job a hell of a lot easier if I was certain that the
browser was ensuring that an XSS attack was literally impossible, as
every comment was safely sandboxed in its own iframe.

> Infrequently updates wordpress blogs? You lost me on this.

A new feature is supported by browsers, which happens to allow
something that was previously allowed through the sanitizer due to
being "harmless" to now do something bad.  Wordpress, hopefully, will
discover this quickly and push out an update.  That helps people who
update their blog software regularly.  It does nothing for people who
don't, and so are still running an old version with the vulnerable

> I use Drupal -- I find it unlikely that Dries would be interested in
> srcdoc, either.


> Blogs written by hand won't have a comment system. The "by hand" part
> negates that type of functionality.

I meant, a personally-coded blogging software.  Not someone who
actually writes each page as a static file.

> Frankly, if weblogging tool developers aren't keen on srcdoc, I don't
> know if you can say that anyone else would be, either.

You have not demonstrated such to my satisfaction, at least.

>>> Now, others may think all of sandboxing is bad, but they should submit
>>> a bug, accordingly.
>> Half or more of your Change Proposal rationale is arguing that all of
>> sandboxing is bad (most particularly, the part arguing that authors
>> are too stupid to realize that using <iframe srcdoc sandbox> to
>> display comments on their blog won't protect them against SQL
>> injection when handling form submission of new comments).  I would
>> appreciate it if you would remove those sections and file bugs
>> accordingly.
> Unless you've become the co-chair for this group, please refrain from
> telling me to edit my proposals.

That's the entire point of posting a Change Proposal to the group; we
can suggest changes that would improve the document and hopefully come
to an amicable resolution without having to solicit counter-proposals.
 This is also why we often formulate proposals on the wiki, so they
can be altered easily, either by the author or by others.

If you believe that your Change Proposals are perfect and inviolate
when they are posted, you're doing it wrong.

Also, seriously, chill.

Received on Thursday, 15 April 2010 00:14:21 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:01 UTC