- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Tue, 4 Jan 2011 15:01:39 +1300
- To: Anne van Kesteren <annevk@opera.com>
- Cc: "Hallvord R. M. Steen" <hallvord@opera.com>, public-webapps@w3.org
Received on Tuesday, 4 January 2011 02:02:12 UTC
On Tue, Jan 4, 2011 at 2:28 AM, Anne van Kesteren <annevk@opera.com> wrote: > On Mon, 27 Dec 2010 06:24:39 +0100, Robert O'Callahan < > robert@ocallahan.org> wrote: > >> The sanitization algorithm needs to consider <style> elements and 'style' >> content attributes. Some browsers, e.g. IE, support CSS features that >> allow script execution. >> > > I think it might be better to define this in the opposite way. I.e. list > the things we want to allow through. This will probably lead to a longer > list, but at least safeguards against future features and gives the right > example to people who happen to look at this document for sanitizing ideas. > I specifically avoided the issue of whether to whitelist or blacklist :-). Whitelisting is preferably for security, but it turns that the obvious whitelists break things. For example, some HTML editors expect to be able to get pasted HTML from Microsoft Word containing -mso styles, which they will then process into something else. So a CSS whitelist would need to include at least some -mso stuff, and who knows what else. Rob -- "Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true." [Acts 17:11]
Received on Tuesday, 4 January 2011 02:02:12 UTC