- From: Bruce Miller <bruce.miller@nist.gov>
- Date: Wed, 02 Apr 2008 11:58:51 -0400
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Henri Sivonen wrote:
> On Apr 2, 2008, at 18:29, Bruce Miller wrote:
>> A minor question:
>> Is handling <whatevertag/> in HTML5 really a problem?
>
> Yes. Consider the security implications of different browsers and
> gatekeepers considering different things executable with <script/>.
I'm trying, but I don't get it.
I guess you're saying that with something like:
<script/>
do_dangerous_stuff();
</script>
that some agents would think the dangerous stuff is executable,
and others would think it's not?
If so, then that's really my point: HTML5 could specify,
eg. that <script/> is empty. Then, whether or not </script>
`auto opens' another <script> in front of, or behind, or whereever,
do_dangerous_stuff(), well that's up to the HTML5 spec as well
(I haven't thought enough about it to have a preference;
just tell me which it is)
Or if you're saying that there are security implications of
software having bugs, or not following specs...
>> _Surely_, no one out there is writing HTML using <whatevertag/>
>> when they _dont_ mean to close the element?!?!?!
>
> Oh, there are people who *think* they are closing and element with
> <whatevertag/>.
Well, that was really my point:
Why not specify that it _does_ close the element?
> I think it is pretty safe to say that some of them end up relying on the
> actual layout or form behavior they get when <whatevertag/> doesn't
> close the element, but I don't have data to support this claim.
>
--
bruce.miller@nist.gov
http://math.nist.gov/~BMiller/
Received on Wednesday, 2 April 2008 15:59:54 UTC