- From: fantasai <fantasai.lists@inkedblade.net>
- Date: Tue, 22 Jun 2004 20:15:55 +0200
Ian Hickson wrote: > On Tue, 15 Jun 2004, fantasai wrote: > >>Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or >>something like that. This has two advantages: >> >> a) The combination of that very unusual punctuation sequence (both >> opening and closing) /and/ an exact match of the template ID is >> going to be so rare as to be practically ignorable. > > Malicious users could trivially work out the combination that would break > this, so I don't think that's a solution to the problem. Malicious users could trivially use JavaScript to modify the DOM at will the way you used it to insert a style sheet into that CSS Test Suite. They could do that to any page they wanted, in any element attribute they wanted, without relying on the author supplying a repeat template *and* using repetition index replacement in the *value* of a form control, which itself would not be common. They could fake the form data, they could edit the HTML doc itself, they could write their own malicious UA -- there are many, many things malicious users could do for which the server needs to have some safeguard, and this is the least of them. The consideration here is accidentally matching the string of code, not intentionally matching it. >> b) ID and NAME attributes using the replacement mechanism can still >> be valid. > > That's a good point though. I'm not sure I like "-.id.-" or ":-id-:", or > ".id:" or "_id-" or other combinations I've looked at, though. > > name="order-row_" > name="order_row-" > name="order.row:" > name="order:row." > name="order-row." > > ...hmm, none of those leap out at me. I prefer the "use two bits of punctuation symmetrically" approach. Using just a single one seems unwise; it's much more common. "-:id:-" looks reasonable, I guess, if you're going for aesthetics. I picked :-id-: 'coz it would be even rarer, and it does hold together as a sort of visual box. <div id="n:-templ-:"/> ~fantasai -- http://fantasai.inkedblade.net/contact
Received on Tuesday, 22 June 2004 11:15:55 UTC