- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 13 Dec 2009 13:51:29 -0800
> That seems like a backwards way of proceeding. ?Do you have a proposal > for unification besides the <jail> tag? The only fundamental objection I have heard against it is the trouble with XML representation. The other option is to simply require a traditional CDATA-esque behavior or a tag parameter - which would place the burden on the author to filter out / escape a single exact string or a quote, but would be similar otherwise. It's obviously less secure - because while the token-based approach actually requires the user to explicitly come up with a token, however poor it might be; whereas here, there is no way to enforce escaping. But it's a solution that would not conflict with XML in any way. >From Tab's response, looks like it's being considered, too - @doc + @seamless. What's strikes me as a bit ironic is that this way, we're overloading IFRAME to become something else entirely, and after rejecting token-guards, settling for an option that is definitely not perfect, and in practice, I think, is bound to be less secure. /mz
Received on Sunday, 13 December 2009 13:51:29 UTC