W3C home > Mailing lists > Public > www-html@w3.org > August 2002

Re: New html security tag

From: Nicolás Lichtmaier <nick@technisys.com.ar>
Date: Wed, 21 Aug 2002 21:47:18 -0300
To: www-html@w3.org
Message-ID: <ak1c8i$ubj$1@main.gmane.org>


> <html>
> ...
> web app's html
> ...
> <p>A user's comment:</p>
> <security block="action_tags" id="SECURITY_TAG_ID"
> report_to="/security.php">
> Here goes the user's data, comments, hmtl, etc.
> All harmless html code is rendered, but code enabling tags
> (java/script,activex and other not known/implemented dangerous tags)
> stuff is ignored.
> </security id="SECURITY_TAG_ID">
> ...
> The rest of the app's html.
> ...
> </html>

Interesting suggestion. It could be shaped like this:

This attribute in every block element:

<!ATTLIST ...
trust    (trusted|marginal|untrusted)    trusted
 >

trusted:
	noop
untrusted:
	scripting elements will be ignored
marginal:
	Well.. this is harder... It would work like this (taking JavaScript as 
an example). It would replace the "window" global object with another 
window object with restricted functionality. window.document would have 
access only to the document fragment inside the area.

All of this would be part of the "scripting" module...
Received on Wednesday, 21 August 2002 20:47:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:52 GMT