- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Sun, 15 Mar 2015 04:57:25 -0700
- To: public-html-comments@w3.org
On 03/15/2015 03:45 AM, Steve Faulkner wrote: > > On 14 March 2015 at 00:43, Michael A. Peters <mpeters@domblogger.net > <mailto:mpeters@domblogger.net>> wrote: > > HTML5 is a lazy spec without an actual specified DTD > > > DTDs are chiseled into stone tablets. And so for processing they > require stone-tablet-aware toolchains. Sadly however the Web was not > built on stone-tablet processing so we’ve had to look around for > other solutions. In the case of document-conformance checking we’ve > turned to using things like RelaxNG schemas that while lacking the > quaintness of DTDs are a far more powerful means for expressing > certain kinds of document-conformance requirements. So it’s a tradeoff. > > /Mike Smith @W3C Deputy Director > http://html5doctor.com/html5-check-it-before-you-wreck-it-with-miketm-smith// > I get it - but we live with a web where some estimate that as many as 70% of web sites are vulnerable to XSS injection and most users do not have the technical know-how to protect themselves. Many XSS attacks are successful because browsers don't use stone chisels, but instead compensate for sloppy code, making it easy for attack vectors to sneak past server side filters. I get it, the browsers don't want be pedantic, but the web sure as well would be a safer place if they were. Going off topic, that's why I prefer sensing content with an XML mime type - because then the browsers are pedantic. But the lack of a DTD means only 5 named entities work, and people don't want to have to memorize things like Α when @copy; is easier - so the lack of a DTD holds back content from being served with a safer mime type. In my opinion.
Received on Sunday, 15 March 2015 11:57:49 UTC