Re: [whatwg/url] Record whether the URL parser removed newlines. (#284) from achristensen07 on 2017-05-25 (public-webapps-github@w3.org from May 2017)

From: achristensen07 <notifications@github.com>
Date: Thu, 25 May 2017 11:32:29 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/pull/284/c304087641@github.com>

I think that mitigation of an HTML injection attack should go in the HTML spec.  It is bad design to try and catch it at all the points of data entry into the HTML parser instead.  What if someone dynamically generates a malicious HTML string with JavaScript, for example? I think it's also bad design to put more HTML concepts into the URL spec, which is used for non-HTML applications.  If an implementer feels that they want to slow down their URL parser to implement it, then they can do that.  I probably wouldn't.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/284#issuecomment-304087641

Received on Thursday, 25 May 2017 18:33:45 UTC