Re: "/>" (was Re: several messages about New Vocabularies in text/html

Henri Sivonen wrote:
> 
> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>> I'm trying, but I don't get it.
>> I guess you're saying that with something like:
>> <script/>
>>    do_dangerous_stuff();
>> </script>
> Gatekeeper applying the rule "/> always closes" would determine that 
> do_dangerous_stuff(); is not executable but existing browsers would 
> still run it. Of course, this is the wrong way to write a gatekeeper. 
> The right way is *never* to pass through original source but to always 
> run a parser, followed by sanitizer, followed by serializer. However, we 
> can't expect people who write gatekeepers to be competent.

Hmm....
Can </script> put do_dangerous_stuff(); into a (new) <script>
so that "everybody" agrees it's executable?

What do current browsers do with:
 <script/>
   do_dangerous_stuff();
 <body>....
?

-- 
bruce.miller@nist.gov
http://math.nist.gov/~BMiller/

Received on Wednesday, 2 April 2008 16:15:15 UTC