- From: Aryeh Gregor <Simetrical+w3c@gmail.com>
- Date: Mon, 7 Sep 2009 13:45:48 -0400
On Mon, Sep 7, 2009 at 1:34 PM, Geoffrey Sneddon <foolistbar at googlemail.com> wrote: > Apparently Hixie had previously said he didn't want to change this as it > will become a non-issue over time. I think it does matter due to the > security issues it presents in existing UAs. Conforming markup (using > elements/attributes allowed in HTML 4.01) should not cause JS to execute in > one browser but not in another. I agree with you as an author. I wrote an HTML output function in MediaWiki assuming that what the standard says is known to be interoperable, which is apparently wrong. If I hadn't been keeping up with HTML 5, I would have introduced an XSS vulnerability because of some browsers' handling of `. If the problem will go away with time, then perhaps a later version of the standard could make such unquoted attributes conforming, once there's no more problem with them.
Received on Monday, 7 September 2009 10:45:48 UTC