- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 18 Jan 2010 05:56:02 +0000 (UTC)
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: HTML WG <public-html@w3.org>
On Sun, 17 Jan 2010, Maciej Stachowiak wrote: > > Adam did specify "weak XSS filters". Even though filters based on > blacklisting instead of whitelisting are poor design, I suspect a lot of > sites still use them and therefore we might make existing sites more > vulnerable. Yes, but we do so every time we invent a new event handler (e.g. onhashchange), content embedding mechanism (e.g. <video>), styling mechanism (e.g. <style scoped>), element with special styling or parsing rules (e.g. <ruby>), feature affecting the rendering (e.g. hidden=""), attribute affecting the UI (e.g. <input required>), etc etc etc. I mean, pretty much any new feature in HTML5 can be be a problem for an XSS filter with a matching weakness. If we start being worried about this, we are likely to end up frozen in fear, unable to invent anything. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 18 January 2010 05:56:31 UTC