W3C home > Mailing lists > Public > uri@w3.org > October 2010

RE: is it possible to handle an XML/HTML elements attribute via the URI?

From: Matthew Millar <mattmill30@hotmail.com>
Date: Sun, 31 Oct 2010 00:09:02 +0100
Message-ID: <SNT116-W1785B248B18B56B904DE2AC4460@phx.gbl>
To: <usenet2010@cfaerber.name>, <uri@w3.org>

Hi Claus,

I haven't got alot of XSS experience, so please correct me if I'm mistaken.

As far as i'm aware, XSS comes into play, when a website or perhaps a server has malicious code or handles a request badly, to the extent that some information gets passed to another website or server, i.e. javascript creating a call to a remote database and recording data from the local machine.

I think this feature could be standardised so it wasn't an XSS threat, however it would have to be strictly specified as to what attributes could be controlled, or perhaps what elements could be handled, i.e. only 100% benign HTML, and CSS.


Matthew Millar

> To: uri@w3.org
> From: usenet2010@cfaerber.name
> Date: Sat, 30 Oct 2010 18:20:53 +0200
> Subject: Re: is it possible to handle an XML/HTML elements attribute via the  URI?
> On 2010-10-28 02:32:41 +0200, Matthew Millar said:
> > This would be extremely useful, if you wanted to highlight a particular 
> > section of a page, or want a particular element to render/behave 
> > differently.
> Which, unfortunately, makes it a perfect attack vector for cross-site 
> scripting (XSS).
> Claus
Received on Saturday, 30 October 2010 23:09:35 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:25:14 UTC