W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2009

[whatwg] Trying to work out the problems solved by RDFa

From: Ben Adida <ben@adida.net>
Date: Fri, 09 Jan 2009 15:38:42 -0800
Message-ID: <4967E002.1080305@adida.net>
Tab Atkins Jr. wrote:
> To answer your specific question, <title> is under the control of the
> site author, and search engines already have elaborate methods to tell
> a spammy site from a hammy one, thus downranking them.

And RDFa is also entirely under the control of the site author.

> On the other hand, the hypothetical attack scenario I outlined was
> about metadata that could be added to the page by external parties.

I thought your attack concerned both author markup and commenter markup.
But it seems we agree on author markup: no additional risk there.

So on to commenter markup.

Most blogging software already white-lists the HTML elements and
attributes they allow, otherwise they are easily hacked with XSS. This
means that, by default, most blogging software will strip RDFa from
comments, which is exactly the right approach, since comments should not
have authority over the structured data of the page.

-Ben
Received on Friday, 9 January 2009 15:38:42 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:09 UTC