- From: Frode Børli <frode@seria.no>
- Date: Thu, 24 Jul 2008 01:07:07 +0200
I am not sure - the sandbox should not allow any scripts at all, that is my only requirement. More advanced requirements can be taken care of server side. The issue I want sandbox for is that it allows us to introduce other ways to embed scripts in tags in the future. Imagine this becoming legal in HTML 6 for some reason: <td colspan='javascript(a + 5)'></td> Where a javascript returns the value in the colspan attribute. Many server side HTML sanitizers would have to be updated - unless we introduce a proper sandbox. Of course a white list could be nice - but sending a list of 50+ tags for each item in a guestbook is a bit much. CSS syntax could be used for such a whitelist; a[href],span[style],area[alt|href] etc. With no whitelist - everything should be allowed, except scripts. Frode 2008/7/23 James Ide <ide at berkeley.edu>: > On Tue, Jul 22, 2008 at 3:22 PM, Frode B?rli <frode at seria.no> wrote: > >> The server must escape all user generated content by replacing < with >> < etc. This is perfectly secure for all existing browsers. The >> sandbox instructs the browser to unescape. Completely fail safe for >> all. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080724/d8fb6267/attachment.htm>
Received on Wednesday, 23 July 2008 16:07:07 UTC