W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Mark Birbeck <mark.birbeck@x-port.net>
Date: Sun, 20 Aug 2006 21:00:37 +0100
Message-ID: <640dd5060608201300q613bd095rcf4ff2e7fead3208@mail.gmail.com>
To: "Ahmed Saad" <ahmed.lists@gmail.com>
Cc: www-html@w3.org


Interesting idea. Have you seen the @role attribute in XHTML 2, which
is being developed as a standalone module so that it can be used in
XHTML 1.x? That may be another way to implement the kind of thing you
are talking about, without the need for more attributes.



On 19/08/06, Ahmed Saad <ahmed.lists@gmail.com> wrote:
> Hello all,
> I'm no expert on (X)HTML but I had an idea that I think might help
> implement more secure web applications, in more specific words,
> protecting users against XSS attacks.  The idea is to add a "nocode"
> (or a more descriptive name) attribute to elements that hints the
> browser to not execute any client-side code found within that element.
> For example, a content management system or a blog software that
> allows comments on some entry might use the following markup ..
> <div id="comment123"  nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>
> Of course it's not a complete alternative to server-side filters, but
> it would act as a secondary safe guard solidifying a "defense in
> depth" approach. Comments are welcome.
> Regards,
> Ahmed

Mark Birbeck
x-port.net Ltd.

e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/

Download our XForms processor from
Received on Sunday, 20 August 2006 20:00:46 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:06:13 UTC