W3C home > Mailing lists > Public > public-html@w3.org > January 2010

Re: <iframe doc="">

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Sun, 24 Jan 2010 10:12:46 -0600
Message-ID: <dd0fbad1001240812x7c2e4390sd94094a52ca11b64@mail.gmail.com>
To: Shelley Powers <shelley.just@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, "public-html@w3.org WG" <public-html@w3.org>
On Sun, Jan 24, 2010 at 8:56 AM, Shelley Powers <shelley.just@gmail.com> wrote:
> Do not expect me to be anything but absolutely appalled that something
> like that would exist in an HTML document. I have never seen anything
> so awful, and so guaranteed to cause problems for authors as that.
> Frankly, I know of few authors that wouldn't look at that and not be
> very unhappy.

If I had to write it by hand, of course I wouldn't be happy.  That's
not what it's for.  If I'm writing it by hand I can skip the <iframes>
entirely, because I know what I'm writing and thus don't need to
protect myself against myself.  This sort of stuff is meant to be
generated by code, like this:

<?php foreach($comments as $comment): ?>
    <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a
href="<?= urlEscape($comment->userurl) ?>"><?=
htmlEscape($comment->username) ?></a> writes: </footer>
    <iframe seamless sandbox="allow-same-origin" srcdoc="<?=
srcdocEscape(htmlEscape($comment->text)) ?>"></iframe>
<?php endforeach; ?>

Compare that to what the code would like to generate the page without <iframe>s:

<?php foreach($comments as $comment): ?>
    <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a
href="<?= $comment->userurl ?>"><?= $comment->username ?></a> writes:
    <div><?= htmlEscape($comment->text) ?>"></div>
<?php endforeach; ?>

Virtually identical, just less secure in the latter case because you
don't get the benefits of @sandbox, so the comment could contain
harmful javascript unless you have a well-built html
parser/serializer/cleaner (and you won't generally know that it's not
well-built until it fails).

And the srcdocEscape() function is trivial to write, as well:

function srcdocEscape($html) {
  return strtr($html, array("&"=>"&amp;",'"'=>"&quot;"));

> Sorry if I'm offending or hurting feelings, but there was no consensus
> on this. How could there be consensus on this? And now, the only way
> to reverse this unilateral decision is _we_ have to now go through the
> Decision process.

There was quite a bit of discussion.  You were even in on it.

That said, though, the HTML5 spec isn't developed through consensus.
Consensus is involved in our Decision Process, but not completely; the
Chairs still make their decisions based on technical merit, not
consensus, just like Ian does when writing the original spec.

Received on Sunday, 24 January 2010 16:13:34 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:15:57 UTC