- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 27 Aug 2010 11:23:57 +0200
On 27.08.2010 00:45, Adam Barth wrote: > ... > Escaping just those character is insufficient. The appeal of this > approach is that authors don't need the right blacklist of dangerous > characters. By the way, there are already folks doing something > similar manually now. They send the untrusted bytes as base64 and > decode them using JavaScript. That sounds like a good idea which doesn't have the deployment problem. > ... > On Thu, Aug 26, 2010 at 1:30 PM, Julian Reschke<julian.reschke at gmx.de> wrote: >> I now get the point about the additional problems in script, but I fail to >> see how the proposal addresses this, unless expanding these entities is >> suppose to happen *after* parsing the script. > > Yes. That's precisely what happens. Ok. To be clear: the same applies to HTML entities in text/html, but not for XML entities in application/xhtml+xml (because of the different handling of <script> content). So, what's the implication for XHTML? Best regards, Julian
Received on Friday, 27 August 2010 02:23:57 UTC