W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Mark Birbeck <mark.birbeck@x-port.net>
Date: Sun, 20 Aug 2006 21:00:37 +0100
Message-ID: <640dd5060608201300q613bd095rcf4ff2e7fead3208@mail.gmail.com>
To: "Ahmed Saad" <ahmed.lists@gmail.com>
Cc: www-html@w3.org

Ahmed,

Interesting idea. Have you seen the @role attribute in XHTML 2, which
is being developed as a standalone module so that it can be used in
XHTML 1.x? That may be another way to implement the kind of thing you
are talking about, without the need for more attributes.

Regards,

Mark


On 19/08/06, Ahmed Saad <ahmed.lists@gmail.com> wrote:
>
> Hello all,
>
> I'm no expert on (X)HTML but I had an idea that I think might help
> implement more secure web applications, in more specific words,
> protecting users against XSS attacks.  The idea is to add a "nocode"
> (or a more descriptive name) attribute to elements that hints the
> browser to not execute any client-side code found within that element.
> For example, a content management system or a blog software that
> allows comments on some entry might use the following markup ..
>
> <div id="comment123"  nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>
>
> Of course it's not a complete alternative to server-side filters, but
> it would act as a secondary safe guard solidifying a "defense in
> depth" approach. Comments are welcome.
>
>
> Regards,
> Ahmed
>
>
>
>


-- 
Mark Birbeck
CEO
x-port.net Ltd.

e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/

Download our XForms processor from
http://www.formsPlayer.com/
Received on Sunday, 20 August 2006 20:00:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:16:07 GMT