- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 15 Dec 2008 21:30:21 +0000 (UTC)
On Mon, 15 Dec 2008, Edward Z. Yang wrote: > > > I wouldn't really worry about "4" vs "5". What matters is what works > > in browsers, or whatever tools your users are using. (This is one > > reason in HTML5 we do away with having the version number in the > > DOCTYPE.) I'd recommend just using the HTML5 DOCTYPE and then > > filtering the content to be whatever you want it to be. > > HTML Purifier puts a high value on standards-compliance, and we've been > attacked on several occasions because of it. "Standards suck." To this I > have to say, standards compliance has helped defend against a number of > XSS attacks--enforcing it lowers attack surface and makes behavior much > more well-defined. So I feel like it's a goal worth striving for, in and > of itself, especially since you can't enforce semantics with computers. I'm not saying don't be standards-compliant; I'm just saying use a subset of HTML5 that you feel comfortable with (which might also be a subset of HTML4, for that matter, just with the HTML5 DOCTYPE so that you don't have to worry about exactly which version you want to follow). -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 15 December 2008 13:30:21 UTC