- From: Andrew McFarland <andrew.mcfarland@unite.net>
- Date: Fri, 16 Aug 2002 16:01:40 +0100
- To: www-html@w3.org
At 08:55 16/08/2002 -0500, Carlos Paz wrote:
<snip/>
>A problem that most web developers must face today is the security risk
>involved with the publication of user contributed data on their website
>that allows some html formatting tags,
<snip/>
The surely this is a problem that should be solved by the web developers -
if you are going to allow raw HTML, make sure you only allow those tags and
attributes you _know_ to be safe, or (better still) define a mini language
that users can use - _b_ bold text here _!b_ - for example.
Adding a security element to HTML strikes me as wrong for two reasons:
o You are making HTML contain device dependant information, in
much the same way as the font element did.
o Even if the above wasn't an issue, for the security element to
work browser vendors would have to implement it in a (relatively) bug free
way and users would have to upgrade their browsers. There is _no way_
developers could depend on a security element.
A security tag would be an inappropriate and ineffective thing IMO.
Possibly something like a content-tainted HTTP header would be useful.
Possibly not.
Andrew
--
Andrew McFarland
UNITE Solutions
http://www.unite.net/
Received on Friday, 16 August 2002 11:05:18 UTC