- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 27 Jan 2011 15:38:06 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, Brandon Sterne <bsterne@mozilla.com>, public-web-security@w3.org
> >> <span security=XXXX> >> >> user_content_which_should_behave_like_cdata_and_not_have_html_tags_interpreted_so_that_xss_here_is_not_possible >> </span security=XXXX> >> > > Ah but my point is before HTML is rendered the start and end markers should > be parsed first. CDATA doesn't matter. > yes, but the point of using XML is that you can use any XML parser and not your own parser. You might as well use HTML if you are doing that. (I am not a big fan of XML -- I am just writing down what I think is their point of view). -devdatta >> >> Perhaps a more compatible approach would be: >> >> <securityXXXX> // With secret token in tag name >> user_content_here >> </securityXXXX> >> >> ...but it's also unlikely to fly with purists. > > I prefer this maybe with some extra characters that aren't likely to be > used:- > <__securityXXXX__> // With secret token in tag name > user_content_here > </__securityXXXX__> >
Received on Thursday, 27 January 2011 23:38:59 UTC