Re: <iframe doc="">

On Sun, Jan 24, 2010 at 10:12 AM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> On Sun, Jan 24, 2010 at 8:56 AM, Shelley Powers <shelley.just@gmail.com> wrote:
>> Do not expect me to be anything but absolutely appalled that something
>> like that would exist in an HTML document. I have never seen anything
>> so awful, and so guaranteed to cause problems for authors as that.
>>
>> Frankly, I know of few authors that wouldn't look at that and not be
>> very unhappy.
>
> If I had to write it by hand, of course I wouldn't be happy.  That's
> not what it's for.  If I'm writing it by hand I can skip the <iframes>
> entirely, because I know what I'm writing and thus don't need to
> protect myself against myself.  This sort of stuff is meant to be
> generated by code, like this:
>
> <?php foreach($comments as $comment): ?>
>  <article>
>    <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a
> href="<?= urlEscape($comment->userurl) ?>"><?=
> htmlEscape($comment->username) ?></a> writes: </footer>
>    <iframe seamless sandbox="allow-same-origin" srcdoc="<?=
> srcdocEscape(htmlEscape($comment->text)) ?>"></iframe>
>  </article>
> <?php endforeach; ?>

The same tools also provide the code to sanitize comments before
they're posted.

So what's the point then, with including markup in an attribute on an iframe?


>
> Compare that to what the code would like to generate the page without <iframe>s:
>
> <?php foreach($comments as $comment): ?>
>  <article>
>    <footer>At <time pubdate><?= $comment->timestamp ?></time>, <a
> href="<?= $comment->userurl ?>"><?= $comment->username ?></a> writes:
> </footer>
>    <div><?= htmlEscape($comment->text) ?>"></div>
>  </article>
> <?php endforeach; ?>
>
> Virtually identical, just less secure in the latter case because you
> don't get the benefits of @sandbox, so the comment could contain
> harmful javascript unless you have a well-built html
> parser/serializer/cleaner (and you won't generally know that it's not
> well-built until it fails).
>

This is an old issue. We have had software to sanitize comments for a
long time. It's built into most CMS tools. And for those who disregard
the use of such tools, they're not going to use this, either.

> And the srcdocEscape() function is trivial to write, as well:
>
> function srcdocEscape($html) {
>  return strtr($html, array("&"=>"&amp;",'"'=>"&quot;"));
> }
>
>> Sorry if I'm offending or hurting feelings, but there was no consensus
>> on this. How could there be consensus on this? And now, the only way
>> to reverse this unilateral decision is _we_ have to now go through the
>> Decision process.
>
> There was quite a bit of discussion.  You were even in on it.
>

But there was no consensus. Not unless I missed Maciej doing a "call
for concensus on ...."

> That said, though, the HTML5 spec isn't developed through consensus.
> Consensus is involved in our Decision Process, but not completely; the
> Chairs still make their decisions based on technical merit, not
> consensus, just like Ian does when writing the original spec.
>

No, that is not true.

Rationales should always be provided, consensus should be sought with
major changes. This a major change. The editor should not be making
unilateral decisions -- and neither should the chairs.

Decisions are made, true, but they should be made according to the
strength of arguments provided, not the fact that Ian has edit control
over the document.

I want to ask: which implementing company asked for this change?
That's all it took for this to be incorporated, one implementor asked
for it. I want to know which company/person specifically asked for
this change?

> ~TJ
>

Shelley

Received on Sunday, 24 January 2010 16:56:28 UTC