- From: <sird@rckc.at>
- Date: Thu, 27 Jan 2011 18:24:29 -0600
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Hi! Just a suggestion, you may prefer to use something like.. <xmp token="xxx" class="security">content here</xmp> Old UAs will ignore that, another option could be to use <noscript> but that may be weird, and could cause bad consequences. Greetings!! -- Eduardo On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >> >>> <span security=XXXX> >>> >>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible >>> </span security=XXXX> >>> >> >> Ah but my point is before HTML is rendered the start and end markers should >> be parsed first. CDATA doesn't matter. >> > > yes, but the point of using XML is that you can use any XML parser and > not your own parser. You might as well use HTML if you are doing that. > > (I am not a big fan of XML -- I am just writing down what I think is > their point of view). > > -devdatta > > >>> >>> Perhaps a more compatible approach would be: >>> >>> <securityXXXX> // With secret token in tag name >>> user_content_here >>> </securityXXXX> >>> >>> ...but it's also unlikely to fly with purists. >> >> I prefer this maybe with some extra characters that aren't likely to be >> used:- >> <__securityXXXX__> // With secret token in tag name >> user_content_here >> </__securityXXXX__> >> > >
Received on Friday, 28 January 2011 00:25:22 UTC