Re: "/>" (was Re: several messages about New Vocabularies in text/html from Henri Sivonen on 2008-04-02 (public-html@w3.org from April 2008)

From: Henri Sivonen <hsivonen@iki.fi>
Date: Wed, 2 Apr 2008 19:07:57 +0300
To: Bruce Miller <bruce.miller@nist.gov>
Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Message-Id: <A4F9EAEA-9493-4467-B8A5-C1F02E5D6B40@iki.fi>

On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>
> Henri Sivonen wrote:
>> On Apr 2, 2008, at 18:29, Bruce Miller wrote:
>>> A minor question:
>>> Is handling <whatevertag/> in HTML5 really a problem?
>> Yes. Consider the security implications of different browsers and  
>> gatekeepers considering different things executable with <script/>.
>
> I'm trying, but I don't get it.
> I guess you're saying that with something like:
> <script/>
>    do_dangerous_stuff();
> </script>
> that some agents would think the dangerous stuff is executable,
> and others would think it's not?
>
> If so, then that's really my point: HTML5 could specify,
> eg. that <script/> is empty.  Then, whether or not </script>
> `auto opens' another <script> in front of, or behind, or whereever,
> do_dangerous_stuff(), well that's up to the HTML5 spec as well
> (I haven't thought enough about it to have a preference;
> just tell me which it is)
>
> Or if you're saying that there are security implications of
> software having bugs, or not following specs...

Gatekeeper applying the rule "/> always closes" would determine that  
do_dangerous_stuff(); is not executable but existing browsers would  
still run it. Of course, this is the wrong way to write a gatekeeper.  
The right way is *never* to pass through original source but to always  
run a parser, followed by sanitizer, followed by serializer. However,  
we can't expect people who write gatekeepers to be competent.

>>> _Surely_, no one out there is writing HTML using <whatevertag/>
>>> when they _dont_ mean to close the element?!?!?!
>> Oh, there are people who *think* they are closing and element with  
>> <whatevertag/>.
>
> Well, that was really my point:
> Why not specify that it _does_ close the element?

Because it would change parsing of existing pages--possibly in ways  
that would "break" the pages.

>> I think it is pretty safe to say that some of them end up relying  
>> on the actual layout or form behavior they get when <whatevertag/>  
>> doesn't close the element, but I don't have data to support this  
>> claim.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Wednesday, 2 April 2008 16:08:51 UTC