W3C home > Mailing lists > Public > www-math@w3.org > April 2008

Re: "/>" (was Re: several messages about New Vocabularies in text/html

From: Bruce Miller <bruce.miller@nist.gov>
Date: Wed, 02 Apr 2008 11:58:51 -0400
To: Henri Sivonen <hsivonen@iki.fi>
Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Message-id: <47F3AD3B.3000207@nist.gov>

Henri Sivonen wrote:
> On Apr 2, 2008, at 18:29, Bruce Miller wrote:
>> A minor question:
>> Is handling <whatevertag/> in HTML5 really a problem?
> Yes. Consider the security implications of different browsers and 
> gatekeepers considering different things executable with <script/>.

I'm trying, but I don't get it.
I guess you're saying that with something like:
that some agents would think the dangerous stuff is executable,
and others would think it's not?

If so, then that's really my point: HTML5 could specify,
eg. that <script/> is empty.  Then, whether or not </script>
`auto opens' another <script> in front of, or behind, or whereever,
do_dangerous_stuff(), well that's up to the HTML5 spec as well
(I haven't thought enough about it to have a preference;
 just tell me which it is)

Or if you're saying that there are security implications of
software having bugs, or not following specs... 

>> _Surely_, no one out there is writing HTML using <whatevertag/>
>> when they _dont_ mean to close the element?!?!?!
> Oh, there are people who *think* they are closing and element with 
> <whatevertag/>.

Well, that was really my point:
 Why not specify that it _does_ close the element?

> I think it is pretty safe to say that some of them end up relying on the 
> actual layout or form behavior they get when <whatevertag/> doesn't 
> close the element, but I don't have data to support this claim.

Received on Wednesday, 2 April 2008 15:59:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:27:40 UTC