W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2008

[whatwg] The <iframe> element and sandboxing ideas

From: Frode Børli <frode@seria.no>
Date: Tue, 22 Jul 2008 00:35:03 +0200
Message-ID: <31fb000f0807211535n27dacf75g5b91fb3511031e47@mail.gmail.com>
I like the proposal of adding a "seamless" attribute to the iframe element,
though it should perhaps be added using CSS since it applies to styling?

I also want the following:

<span sandbox=1> </span>

This is because a typical Web 2.0 usage is to have a list of comments with a
thumbs up/thumbs down for each message. This requires more fine grained
control of what is user generated content and what is scripted content.

The problem is 1: that the user can easily write </span> in his comment and
bypass the sandbox and 2: it is not backward compatible.

This is prevented by requiring anything inside a sandbox being entity
escaped:

<span sandbox=1> &lt;/span&gt; </span>

If the browser finds unescaped content inside a sandbox it should refuse to
display the page - thereby forcing the author to fix this immediately.

Any comments?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080722/8b1ac810/attachment.htm>
Received on Monday, 21 July 2008 15:35:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC