- From: Jonathan Kew <jfkthame@googlemail.com>
- Date: Thu, 27 May 2010 00:16:17 +0100
- To: Sylvain Galineau <sylvaing@microsoft.com>
- Cc: www-font@w3.org, public-webfonts-wg@w3.org
On 26 May 2010, at 23:56, Sylvain Galineau wrote: > The cost of implementing 'about this font' ought to be as minimal as it can be or > no one will bother. I'm assuming all current browsers that might implement such a feature already have XSLT processing facilities, and can display a simple panel containing the tiny subset of HTML that this generates. As such, the cost of implementing this should be minimal: extract the XML metadata; call an existing function to apply an XSL transform to it; call another existing function to display the resulting HTML in a UI widget. > Whatever seems to be hackable with a quick script and works great > with the two examples you and I just made up is not necessarily a good indication of > what it'll cost in a real shipping product that, for this particular feature, probably > has more malicious attackers poking at it than there are people who will use said feature > on a regular basis. I'm inclined to think that existing XSLT processors, which are already exposed to arbitrary content (both XML input and XSL stylesheets) from the Web, should be at least as robust against malicious attackers as some piece of newly-written code designed solely to process a new "extensible but not open-ended" format. If that's not the case -- if we have XSLT capabilities in our browsers, but they're vulnerable to potentially malicious content that people might be trying to feed into them -- then we have a pretty serious problem on our hands already. JK
Received on Wednesday, 26 May 2010 23:16:54 UTC