Hello all, I'm no expert on (X)HTML but I had an idea that I think might help implement more secure web applications, in more specific words, protecting users against XSS attacks. The idea is to add a "nocode" (or a more descriptive name) attribute to elements that hints the browser to not execute any client-side code found within that element. For example, a content management system or a blog software that allows comments on some entry might use the following markup .. <div id="comment123" nocode="true"> <script type="text/javascript">alert('This piece of code will not be executed even though it evaded the server-side filter');</script> </div> Of course it's not a complete alternative to server-side filters, but it would act as a secondary safe guard solidifying a "defense in depth" approach. Comments are welcome. Regards, AhmedReceived on Sunday, 20 August 2006 02:13:36 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 July 2008 07:54:34 GMT