- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 6 Jun 2007 22:42:31 +0000 (UTC)
On Thu, 7 Jun 2007, Alexey Feldgendler wrote: > On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <ian at hixie.ch> wrote: > > > > Preventing such attacks by a HTML cleaner would require either > > > making a full list of all "forbidden" IDs, class names etc, or > > > imposing Draconian rules upon user-supplied content, completely > > > disallowing such useful attributes like id and class. > > > I'm not really convinced there's that much use in user-supplied IDs > > and classes, but the rules needn't be that draconian. The server could > > automatically prepend the commentN string to IDs and classes. > > IDs in user-supplied content are only useful as fragment identifiers for > URLs, and mangling them like that defeats this use case because you > don't know N before you post the comment, and therefore can't make > internal links within the body (and it's also unobvious when you try to > make links to parts of your article afterwards). True. I don't have a good solution to this that doesn't involve code on the server-side, though. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 6 June 2007 15:42:31 UTC