W3C home > Mailing lists > Public > public-web-security@w3.org > January 2011

Re: CSP XML Data with tokens

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Thu, 27 Jan 2011 15:38:06 -0800
Message-ID: <AANLkTi=TGwhDSHnK3pYDECL7LteVBi+d+wtODict0iwD@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
>
>> <span security=XXXX>
>>
>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible
>> </span security=XXXX>
>>
>
> Ah but my point is before HTML is rendered the start and end markers should
> be parsed first. CDATA doesn't matter.
>

yes, but the point of using XML is that you can use any XML parser and
not your own parser. You might as well use HTML if you are doing that.

(I am not a big fan of XML -- I am just writing down what I think is
their point of view).

-devdatta


>>
>> Perhaps a more compatible approach would be:
>>
>> <securityXXXX> // With secret token in tag name
>>  user_content_here
>> </securityXXXX>
>>
>> ...but it's also unlikely to fly with purists.
>
> I prefer this maybe with some extra characters that aren't likely to be
> used:-
>  <__securityXXXX__> // With secret token in tag name
>  user_content_here
> </__securityXXXX__>
>
Received on Thursday, 27 January 2011 23:38:59 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 27 January 2011 23:39:01 GMT