- From: Tab Atkins Jr. <jackalmage@gmail.com>
- Date: Sun, 24 Jan 2010 10:12:46 -0600
- To: Shelley Powers <shelley.just@gmail.com>
- Cc: Ian Hickson <ian@hixie.ch>, "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 8:56 AM, Shelley Powers <shelley.just@gmail.com> wrote: > Do not expect me to be anything but absolutely appalled that something > like that would exist in an HTML document. I have never seen anything > so awful, and so guaranteed to cause problems for authors as that. > > Frankly, I know of few authors that wouldn't look at that and not be > very unhappy. If I had to write it by hand, of course I wouldn't be happy. That's not what it's for. If I'm writing it by hand I can skip the <iframes> entirely, because I know what I'm writing and thus don't need to protect myself against myself. This sort of stuff is meant to be generated by code, like this: <?php foreach($comments as $comment): ?> <article> <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a href="<?= urlEscape($comment->userurl) ?>"><?= htmlEscape($comment->username) ?></a> writes: </footer> <iframe seamless sandbox="allow-same-origin" srcdoc="<?= srcdocEscape(htmlEscape($comment->text)) ?>"></iframe> </article> <?php endforeach; ?> Compare that to what the code would like to generate the page without <iframe>s: <?php foreach($comments as $comment): ?> <article> <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a href="<?= $comment->userurl ?>"><?= $comment->username ?></a> writes: </footer> <div><?= htmlEscape($comment->text) ?>"></div> </article> <?php endforeach; ?> Virtually identical, just less secure in the latter case because you don't get the benefits of @sandbox, so the comment could contain harmful javascript unless you have a well-built html parser/serializer/cleaner (and you won't generally know that it's not well-built until it fails). And the srcdocEscape() function is trivial to write, as well: function srcdocEscape($html) { return strtr($html, array("&"=>"&",'"'=>""")); } > Sorry if I'm offending or hurting feelings, but there was no consensus > on this. How could there be consensus on this? And now, the only way > to reverse this unilateral decision is _we_ have to now go through the > Decision process. There was quite a bit of discussion. You were even in on it. That said, though, the HTML5 spec isn't developed through consensus. Consensus is involved in our Decision Process, but not completely; the Chairs still make their decisions based on technical merit, not consensus, just like Ian does when writing the original spec. ~TJ
Received on Sunday, 24 January 2010 16:13:34 UTC