Henri Sivonen wrote: > > On Apr 2, 2008, at 18:58, Bruce Miller wrote: >> I'm trying, but I don't get it. >> I guess you're saying that with something like: >> <script/> >> do_dangerous_stuff(); >> </script> > Gatekeeper applying the rule "/> always closes" would determine that > do_dangerous_stuff(); is not executable but existing browsers would > still run it. Of course, this is the wrong way to write a gatekeeper. > The right way is *never* to pass through original source but to always > run a parser, followed by sanitizer, followed by serializer. However, we > can't expect people who write gatekeepers to be competent. Hmm.... Can </script> put do_dangerous_stuff(); into a (new) <script> so that "everybody" agrees it's executable? What do current browsers do with: <script/> do_dangerous_stuff(); <body>.... ? -- bruce.miller@nist.gov http://math.nist.gov/~BMiller/Received on Wednesday, 2 April 2008 16:15:14 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 April 2008 16:15:15 GMT