W3C home > Mailing lists > Public > www-html@w3.org > August 2002

Re: New html security tag

From: Andrew McFarland <andrew.mcfarland@unite.net>
Date: Fri, 16 Aug 2002 16:01:40 +0100
Message-Id: <5.1.0.14.0.20020816154154.009e8890@127.0.0.1>
To: www-html@w3.org

At 08:55 16/08/2002 -0500, Carlos Paz wrote:
<snip/>
>A problem that most web developers must face today is the security risk
>involved with the publication of user contributed data on their website
>that allows some html formatting tags,
<snip/>

The surely this is a problem that should be solved by the web developers - 
if you are going to allow raw HTML, make sure you only allow those tags and 
attributes you _know_ to be safe, or (better still) define a mini language 
that users can use - _b_ bold text here _!b_ - for example.

Adding a security element to HTML strikes me as wrong for two reasons:

         o You are making HTML contain device dependant information, in 
much the same way as the font element did.

         o Even if the above wasn't an issue, for the security element to 
work browser vendors would have to implement it in a (relatively) bug free 
way and users would have to upgrade their browsers. There is _no way_ 
developers could depend on a security element.

A security tag would be an inappropriate and ineffective thing IMO. 
Possibly something like a content-tainted HTTP header would be useful. 
Possibly not.

Andrew

--
Andrew McFarland
UNITE Solutions
http://www.unite.net/
Received on Friday, 16 August 2002 11:05:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:52 GMT