[whatwg] Stability of tokenizing/dom algorithms

On Mon, 15 Dec 2008, Edward Z. Yang wrote:
> 
> > I wouldn't really worry about "4" vs "5". What matters is what works 
> > in browsers, or whatever tools your users are using. (This is one 
> > reason in HTML5 we do away with having the version number in the 
> > DOCTYPE.) I'd recommend just using the HTML5 DOCTYPE and then 
> > filtering the content to be whatever you want it to be.
> 
> HTML Purifier puts a high value on standards-compliance, and we've been 
> attacked on several occasions because of it. "Standards suck." To this I 
> have to say, standards compliance has helped defend against a number of 
> XSS attacks--enforcing it lowers attack surface and makes behavior much 
> more well-defined. So I feel like it's a goal worth striving for, in and 
> of itself, especially since you can't enforce semantics with computers.

I'm not saying don't be standards-compliant; I'm just saying use a subset 
of HTML5 that you feel comfortable with (which might also be a subset of 
HTML4, for that matter, just with the HTML5 DOCTYPE so that you don't have 
to worry about exactly which version you want to follow).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 15 December 2008 13:30:21 UTC