- From: Bruce Miller <bruce.miller@nist.gov>
- Date: Wed, 02 Apr 2008 12:13:51 -0400
- To: Henri Sivonen <hsivonen@iki.fi>
- Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Henri Sivonen wrote: > > On Apr 2, 2008, at 18:58, Bruce Miller wrote: >> I'm trying, but I don't get it. >> I guess you're saying that with something like: >> <script/> >> do_dangerous_stuff(); >> </script> > Gatekeeper applying the rule "/> always closes" would determine that > do_dangerous_stuff(); is not executable but existing browsers would > still run it. Of course, this is the wrong way to write a gatekeeper. > The right way is *never* to pass through original source but to always > run a parser, followed by sanitizer, followed by serializer. However, we > can't expect people who write gatekeepers to be competent. Hmm.... Can </script> put do_dangerous_stuff(); into a (new) <script> so that "everybody" agrees it's executable? What do current browsers do with: <script/> do_dangerous_stuff(); <body>.... ? -- bruce.miller@nist.gov http://math.nist.gov/~BMiller/
Received on Wednesday, 2 April 2008 16:15:15 UTC