- From: Bruce Miller <bruce.miller@nist.gov>
- Date: Wed, 02 Apr 2008 11:58:51 -0400
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Henri Sivonen wrote: > On Apr 2, 2008, at 18:29, Bruce Miller wrote: >> A minor question: >> Is handling <whatevertag/> in HTML5 really a problem? > > Yes. Consider the security implications of different browsers and > gatekeepers considering different things executable with <script/>. I'm trying, but I don't get it. I guess you're saying that with something like: <script/> do_dangerous_stuff(); </script> that some agents would think the dangerous stuff is executable, and others would think it's not? If so, then that's really my point: HTML5 could specify, eg. that <script/> is empty. Then, whether or not </script> `auto opens' another <script> in front of, or behind, or whereever, do_dangerous_stuff(), well that's up to the HTML5 spec as well (I haven't thought enough about it to have a preference; just tell me which it is) Or if you're saying that there are security implications of software having bugs, or not following specs... >> _Surely_, no one out there is writing HTML using <whatevertag/> >> when they _dont_ mean to close the element?!?!?! > > Oh, there are people who *think* they are closing and element with > <whatevertag/>. Well, that was really my point: Why not specify that it _does_ close the element? > I think it is pretty safe to say that some of them end up relying on the > actual layout or form behavior they get when <whatevertag/> doesn't > close the element, but I don't have data to support this claim. > -- bruce.miller@nist.gov http://math.nist.gov/~BMiller/
Received on Wednesday, 2 April 2008 15:59:54 UTC