- From: <bugzilla@jessica.w3.org>
- Date: Thu, 04 Aug 2011 00:13:45 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13586
Adrian Bateman [MSFT] <adrianba@microsoft.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |adrianba@microsoft.com
--- Comment #2 from Adrian Bateman [MSFT] <adrianba@microsoft.com> 2011-08-04 00:13:44 UTC ---
This is an issue we identified during our security review of HTML5 Forms as we
planned the support that we have included in IE10. We chose not to support the
form attribute for this reason. We were planning to file a Last Call comment of
our own on this issue today.
Reflection of content is pervasive, as we've seen with XSS. So the question is
– are there pages that reflect content and also have interesting forms on them?
Sure there are! Server-side HTML filtering is designed to allow rich HTML
content through but block script. So it's perfectly reasonable to expect that
with current filters, untrusted content containing <SCRIPT> will get dropped
but a "harmless" <BUTTON> or <INPUT> will not. Of course the filters can be
modified to account for this, but why set them up to need this change? Not
supporting this feature provides better defense in depth. We didn't find an
overwhelming use case that invalidated this thinking.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 4 August 2011 00:13:46 UTC