- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Wed, 14 Apr 2010 17:13:33 -0700
- To: Shelley Powers <shelley.just@gmail.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, public-html@w3.org
On Wed, Apr 14, 2010 at 5:02 PM, Shelley Powers <shelley.just@gmail.com> wrote: > Most of Wordpress's problem in the past has been problems with SQL > Injection. I know, I found and fixed more than a few when I had forked > the application at one point. > > When you say long history, do you have specifics? Links? I had the > creator of Wordpress, Matt Mullenweg, respond to the necessity of > having to provide a srcdoc attribute, in which to stuff comments so > that we may be protected. He did not indicate interest. Google "wordpress xss vulnerability" for a long list of examples. > Perhaps you can find other weblog software developers and see if > they're interested. Or, since Ian stated that this attribute was for a > specific use case, ask him to provide documentation backing up the use > case: a request from a weblog developer, a commitment from tool > developers to use it. Something tangible. > > I've been working with weblogging software for a decade, and though I > may not be considered expert enough for this organization, I am fairly > comfortable stating that people who work with weblogging > templates--either authors, or tool or template builders, are highly > unlikely to use this attribute. As someone who writes webpages regularly, and is currently writing Yet Another Homebrew Blogging Platform for himself, I'd totally use this. It'd make my job a hell of a lot easier if I was certain that the browser was ensuring that an XSS attack was literally impossible, as every comment was safely sandboxed in its own iframe. > Infrequently updates wordpress blogs? You lost me on this. A new feature is supported by browsers, which happens to allow something that was previously allowed through the sanitizer due to being "harmless" to now do something bad. Wordpress, hopefully, will discover this quickly and push out an update. That helps people who update their blog software regularly. It does nothing for people who don't, and so are still running an old version with the vulnerable sanitizer. > I use Drupal -- I find it unlikely that Dries would be interested in > srcdoc, either. Okay. > Blogs written by hand won't have a comment system. The "by hand" part > negates that type of functionality. I meant, a personally-coded blogging software. Not someone who actually writes each page as a static file. > Frankly, if weblogging tool developers aren't keen on srcdoc, I don't > know if you can say that anyone else would be, either. You have not demonstrated such to my satisfaction, at least. >>> Now, others may think all of sandboxing is bad, but they should submit >>> a bug, accordingly. >> >> Half or more of your Change Proposal rationale is arguing that all of >> sandboxing is bad (most particularly, the part arguing that authors >> are too stupid to realize that using <iframe srcdoc sandbox> to >> display comments on their blog won't protect them against SQL >> injection when handling form submission of new comments). I would >> appreciate it if you would remove those sections and file bugs >> accordingly. > > Unless you've become the co-chair for this group, please refrain from > telling me to edit my proposals. That's the entire point of posting a Change Proposal to the group; we can suggest changes that would improve the document and hopefully come to an amicable resolution without having to solicit counter-proposals. This is also why we often formulate proposals on the wiki, so they can be altered easily, either by the author or by others. If you believe that your Change Proposals are perfect and inviolate when they are posted, you're doing it wrong. Also, seriously, chill. ~TJ
Received on Thursday, 15 April 2010 00:14:21 UTC