- From: Yakov Shafranovich <yakov-ietf@shaftek.org>
- Date: Wed, 21 May 2014 23:21:20 -0400
- To: W3C CSV on the Web Working Group <public-csv-wg@w3.org>
One of the things I brought up during today's call is something I wanted to share with the list as well - security. Specifically, in regards to the conversion between CSV and other formats, especially where templates and languages are involved, we need to keep security in mind. IETF has an example of what they use here: http://tools.ietf.org/html/rfc3552 For example, if we allow users to publish a template in XSTL, regex, etc. those consuming the template need to be aware that it may be malicious. Some examples are including files from the file system, running regex expressions that may cause DOS attacks, etc. Additionally, allowing URLs to point to outside systems may be an issue as well. I believe there is a security review process via the web security WG for W3C standards but I am not familiar enough with it: http://www.w3.org/Security/wiki/IG/W3C_spec_review Just my two cents, Yakov
Received on Thursday, 22 May 2014 03:22:18 UTC