W3C home > Mailing lists > Public > www-html@w3.org > August 2006

Re: Security Markup

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Mon, 21 Aug 2006 15:34:24 +0200
To: "Ahmed Saad" <ahmed.lists@gmail.com>
Cc: www-html@w3.org
Message-ID: <9ocje21u6fcar1vl5qivoa4q80p1v1lrb1@hive.bjoern.hoehrmann.de>

* Ahmed Saad wrote:
>For the sake of clarity, the example I wrote was overly simplistic to
>get the idea across. Of course any reasonably coded filter can handle
>such example but "real world" XSS vulnerabilities are never that
>simple.

Virtually all real world web site script injection flaws are extremely
trivial ones, actually. As for dealing with browser vendors making it
more and more difficult to filter all the bad stuff out, that is indeed
a problem, but you'd have a much better 80/20 solution if you introduce
a processing instruction that prevents script execution from anywhere
but external scripts from the same site as the document.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de
68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Monday, 21 August 2006 13:41:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:16:07 GMT