W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP XML Data with tokens

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 31 Jan 2011 18:37:08 -0800
Message-ID: <AANLkTi=gnhq3XY==ObV34uvLsB3--4_HQ7escOshVM3L@mail.gmail.com>
To: "sird@rckc.at" <sird@rckc.at>
Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Michal's point seems to be that
>
> <$untrusted>$user_content</$untrusted>
>
> is easier to get right than
>
> {htmlentities($user_content)}

I'm not even making this point very strongly; but I mostly think that
if you disagree with this, then sandboxed frames are necessarily even
less of a fit.

/mz
Received on Tuesday, 1 February 2011 02:38:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 1 February 2011 02:38:02 GMT