- From: Alexey Feldgendler <alexey@feldgendler.ru>
- Date: Thu, 07 Jun 2007 00:38:52 +0200
On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote: >> Preventing such attacks by a HTML cleaner would require either making a >> full list of all "forbidden" IDs, class names etc, or imposing Draconian >> rules upon user-supplied content, completely disallowing such useful >> attributes like id and class. > I'm not really convinced there's that much use in user-supplied IDs and > classes, but the rules needn't be that draconian. The server could > automatically prepend the commentN string to IDs and classes. IDs in user-supplied content are only useful as fragment identifiers for URLs, and mangling them like that defeats this use case because you don't know N before you post the comment, and therefore can't make internal links within the body (and it's also unobvious when you try to make links to parts of your article afterwards). -- Alexey Feldgendler <alexey at feldgendler.ru> [ICQ: 115226275] http://feldgendler.livejournal.com
Received on Wednesday, 6 June 2007 15:38:52 UTC