- From: Ben Adida <ben@adida.net>
- Date: Fri, 09 Jan 2009 15:38:42 -0800
Tab Atkins Jr. wrote: > To answer your specific question, <title> is under the control of the > site author, and search engines already have elaborate methods to tell > a spammy site from a hammy one, thus downranking them. And RDFa is also entirely under the control of the site author. > On the other hand, the hypothetical attack scenario I outlined was > about metadata that could be added to the page by external parties. I thought your attack concerned both author markup and commenter markup. But it seems we agree on author markup: no additional risk there. So on to commenter markup. Most blogging software already white-lists the HTML elements and attributes they allow, otherwise they are easily hacked with XSS. This means that, by default, most blogging software will strip RDFa from comments, which is exactly the right approach, since comments should not have authority over the structured data of the page. -Ben
Received on Friday, 9 January 2009 15:38:42 UTC