W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Security Markup

From: Ahmed Saad <ahmed.lists@gmail.com>
Date: Sat, 19 Aug 2006 16:25:22 +0300
Message-ID: <d334e39d0608190625w1d9d8311pbcd68f26a78ab5af@mail.gmail.com>
To: www-html@w3.org

Hello all,

I'm no expert on (X)HTML but I had an idea that I think might help
implement more secure web applications, in more specific words,
protecting users against XSS attacks.  The idea is to add a "nocode"
(or a more descriptive name) attribute to elements that hints the
browser to not execute any client-side code found within that element.
For example, a content management system or a blog software that
allows comments on some entry might use the following markup ..

<div id="comment123"  nocode="true">
<script type="text/javascript">alert('This piece of code will not be
executed even though it evaded the server-side filter');</script>

Of course it's not a complete alternative to server-side filters, but
it would act as a secondary safe guard solidifying a "defense in
depth" approach. Comments are welcome.

Received on Sunday, 20 August 2006 02:13:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:13 UTC