- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Mon, 31 Jan 2011 18:37:08 -0800
- To: "sird@rckc.at" <sird@rckc.at>
- Cc: Aryeh Gregor <Simetrical+w3c@gmail.com>, "public-web-security@w3.org" <public-web-security@w3.org>
> Michal's point seems to be that
>
> <$untrusted>$user_content</$untrusted>
>
> is easier to get right than
>
> {htmlentities($user_content)}
I'm not even making this point very strongly; but I mostly think that
if you disagree with this, then sandboxed frames are necessarily even
less of a fit.
/mz
Received on Tuesday, 1 February 2011 02:38:01 UTC