W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] base64 entities

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 27 Aug 2010 11:23:57 +0200
Message-ID: <4C77842D.1050609@gmx.de>
On 27.08.2010 00:45, Adam Barth wrote:
> ...
> Escaping just those character is insufficient.  The appeal of this
> approach is that authors don't need the right blacklist of dangerous
> characters.  By the way, there are already folks doing something
> similar manually now.  They send the untrusted bytes as base64 and
> decode them using JavaScript.

That sounds like a good idea which doesn't have the deployment problem.

 > ...
> On Thu, Aug 26, 2010 at 1:30 PM, Julian Reschke<julian.reschke at gmx.de>  wrote:
>> I now get the point about the additional problems in script, but I fail to
>> see how the proposal addresses this, unless expanding these entities is
>> suppose to happen *after* parsing the script.
> Yes.  That's precisely what happens.

Ok. To be clear: the same applies to HTML entities in text/html, but not 
for XML entities in application/xhtml+xml (because of the different 
handling of <script> content).

So, what's the implication for XHTML?

Best regards, Julian
Received on Friday, 27 August 2010 02:23:57 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC