On Sun, 17 Jan 2010, Maciej Stachowiak wrote: > > Adam did specify "weak XSS filters". Even though filters based on > blacklisting instead of whitelisting are poor design, I suspect a lot of > sites still use them and therefore we might make existing sites more > vulnerable. Yes, but we do so every time we invent a new event handler (e.g. onhashchange), content embedding mechanism (e.g. <video>), styling mechanism (e.g. <style scoped>), element with special styling or parsing rules (e.g. <ruby>), feature affecting the rendering (e.g. hidden=""), attribute affecting the UI (e.g. <input required>), etc etc etc. I mean, pretty much any new feature in HTML5 can be be a problem for an XSS filter with a matching weakness. If we start being worried about this, we are likely to end up frozen in fear, unable to invent anything. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'Received on Monday, 18 January 2010 05:56:31 UTC
This archive was generated by hypermail 2.4.0 : Saturday, 9 October 2021 18:45:07 UTC