W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2008

[whatwg] Stability of tokenizing/dom algorithms

From: Edward Z. Yang <edwardzyang@thewritingpot.com>
Date: Mon, 15 Dec 2008 16:27:52 -0500
Message-ID: <4946CBD8.70508@thewritingpot.com>
Ian Hickson wrote:
> Oh well that's just a matter of having pluggable modules for different 
> things to filter. You can equally support SVG and MathML in this way. You 
> just need the core processing to be made independent of the filtering.

I just realized an error in my thought that I would need to modify the
parsing algorithm; that would only be the case if I tried to integrate
filtering with the core processing. If it's a two-stage process, the
core processing merely has special rules for certain elements embedded
in it, but otherwise acts normally. Performance *is* an issue (getting
things to be standards compliant is relatively CPU/memory intensive),
but getting things to work is first.

> I wouldn't really worry about "4" vs "5". What matters is what works in 
> browsers, or whatever tools your users are using. (This is one reason in 
> HTML5 we do away with having the version number in the DOCTYPE.) I'd 
> recommend just using the HTML5 DOCTYPE and then filtering the content to 
> be whatever you want it to be.

HTML Purifier puts a high value on standards-compliance, and we've been
attacked on several occasions because of it. "Standards suck." To this I
have to say, standards compliance has helped defend against a number of
XSS attacks--enforcing it lowers attack surface and makes behavior much
more well-defined. So I feel like it's a goal worth striving for, in and
of itself, especially since you can't enforce semantics with computers.

Cheers,
Edward
Received on Monday, 15 December 2008 13:27:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:46 UTC