W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 26 Aug 2010 16:25:46 -0400
Message-ID: <4C76CDCA.9060803@mit.edu>
On 8/26/10 4:10 PM, Aryeh Gregor wrote:
> On Thu, Aug 26, 2010 at 5:58 AM, Julian Reschke<julian.reschke at gmx.de>  wrote:
>> Not convinced. There's already one way to escape these things, and this is
>> supported in all UAs.
>
> Adam gave two examples of cases where htmlspecialchars() is
> insufficient, even if authors do use it.  This proposal is completely
> general and will work anywhere, even in<script>.

Sorta.  It'll let you put the data in <script>, but it won't verify that 
the data doesn't change the meaning of the script, obviously, or inject 
script of its own to run.

> Is automated general escaping even possible right now in<script>  for text/html?

Defined how?

-Boris
Received on Thursday, 26 August 2010 13:25:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC