- From: <sird@rckc.at>
- Date: Thu, 27 Jan 2011 18:25:55 -0600
- To: Devdatta Akhawe <dev.akhawe@gmail.com>
- Cc: gaz Heyes <gazheyes@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
Oh btw, you could also. <span security="xxxxx">html encoded content</span> Or am I missing how this is going to behave being backward compatible? Greetz -- Eduardo On Thu, Jan 27, 2011 at 6:24 PM, sird@rckc.at <sird@rckc.at> wrote: > Hi! > > Just a suggestion, you may prefer to use something like.. > > <xmp token="xxx" class="security">content here</xmp> > > Old UAs will ignore that, another option could be to use <noscript> > but that may be weird, and could cause bad consequences. > > Greetings!! > -- Eduardo > > > > > On Thu, Jan 27, 2011 at 5:38 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: >>> >>>> <span security=XXXX> >>>> >>>> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible >>>> </span security=XXXX> >>>> >>> >>> Ah but my point is before HTML is rendered the start and end markers should >>> be parsed first. CDATA doesn't matter. >>> >> >> yes, but the point of using XML is that you can use any XML parser and >> not your own parser. You might as well use HTML if you are doing that. >> >> (I am not a big fan of XML -- I am just writing down what I think is >> their point of view). >> >> -devdatta >> >> >>>> >>>> Perhaps a more compatible approach would be: >>>> >>>> <securityXXXX> // With secret token in tag name >>>> user_content_here >>>> </securityXXXX> >>>> >>>> ...but it's also unlikely to fly with purists. >>> >>> I prefer this maybe with some extra characters that aren't likely to be >>> used:- >>> <__securityXXXX__> // With secret token in tag name >>> user_content_here >>> </__securityXXXX__> >>> >> >> >
Received on Friday, 28 January 2011 00:26:48 UTC