- From: David Woolley <david@djwhome.demon.co.uk>
- Date: Mon, 21 Aug 2006 07:30:39 +0100 (BST)
- To: www-style@w3.org
> protecting users against XSS attacks. The idea is to add a "nocode" > (or a more descriptive name) attribute to elements that hints the I think this has the same flaw as the recent Google invention of an attribute that prevents third party content links being followed in that it is a command to the browser, rather than description of the content. I suspect the same descriptive property would actually have covered both cases. > browser to not execute any client-side code found within that element. > For example, a content management system or a blog software that > allows comments on some entry might use the following markup .. One needs to consider what happens if the attribute is dynamically modified by scripting. > > <div id="comment123" nocode="true"> Historically, this would have been nocode="nocode", which, by SGML rules, can be collapsed to simply nocode in HTML. I don't know what the current policy is on this. PS. It's a good idea to avoid two word subject that don't obviously relate to an active topic. Most of the spam that gets through my ISP's filters falls into that category these days, i.e. two random words from the dictionary. I discarded this unread until I saw the replies.
Received on Monday, 21 August 2006 07:07:58 UTC