- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Thu, 10 Nov 2011 13:49:28 +0200
- To: public-webapps WG <public-webapps@w3.org>
On Fri, Nov 4, 2011 at 2:54 PM, João Eiras <joaoe@opera.com> wrote: > * stripScripts is a boolean that tells the parser to strip unsafe content > like scripts, event listeners and embeds/objects which would be handled by a > 3rd party plugin according to user agent policy. "According to user agent policy" is a huge interoperability problem. (IIRC, Collin Jackson listed IE's toStaticHTML as an example of a bad security feature for this reason in his USENIX talk.) If we expose an HTML sanitizer to Web content as a DOM API, we should have a clear normative spec that says what exactly the sanitizer does. Stuff to debate includes what to do about Content MathML, what to do about <object> elements that appear to reference SVG and what to do about <embed> elements that bear Microdata attributes. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Thursday, 10 November 2011 11:50:04 UTC