W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: innerHTML in DocumentFragment

From: Henri Sivonen <hsivonen@iki.fi>
Date: Thu, 10 Nov 2011 13:49:28 +0200
Message-ID: <CAJQvAud2c4cgButW8YvXtOesb05k67FLSvefJtAJMQitZ5ySYg@mail.gmail.com>
To: public-webapps WG <public-webapps@w3.org>
On Fri, Nov 4, 2011 at 2:54 PM, João Eiras <joaoe@opera.com> wrote:
> * stripScripts is a boolean that tells the parser to strip unsafe content
> like scripts, event listeners and embeds/objects which would be handled by a
> 3rd party plugin according to user agent policy.

"According to user agent policy" is a huge interoperability problem.
(IIRC, Collin Jackson listed IE's toStaticHTML as an example of a bad
security feature for this reason in his USENIX talk.)

If we expose an HTML sanitizer to Web content as a DOM API, we should
have a clear normative spec that says what exactly the sanitizer does.
Stuff to debate includes what to do about Content MathML, what to do
about <object> elements that appear to reference SVG and what to do
about <embed> elements that bear Microdata attributes.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Thursday, 10 November 2011 11:50:04 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT