- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 25 Aug 2010 16:41:18 -0700
On Wed, Aug 25, 2010 at 1:55 PM, Ian Hickson <ian at hixie.ch> wrote: > On Wed, 25 Aug 2010, Adam Barth wrote: >> HTML should support Base64-encoded entities to make it easier for >> authors to include untrusted content in their documents without >> risking XSS. > > Seems like a fine idea. Get browsers to implement it and I'll spec it. I've posted a patch for WebKit: https://bugs.webkit.org/show_bug.cgi?id=44641 Some subtleties: 1) Some base64 decoders tolerate newlines. We don't want to decode entities with newlines. 2) Decoding base64 results in binary data. We'll need to convert that data to characters in order to deal with it in the DOM. We use always use UTF8 for that transformation, regardless of the document's encoding. 3) Null characters are replaced with U+FFFD. 4) The empty base64 entity &%; is consumed and is replaced with the empty string. 5) Invalid base64 is rejected and the entity is not decoded. Adam
Received on Wednesday, 25 August 2010 16:41:18 UTC