- From: Nicolás Lichtmaier <nick@technisys.com.ar>
- Date: Wed, 21 Aug 2002 21:47:18 -0300
- To: www-html@w3.org
> <html> > ... > web app's html > ... > <p>A user's comment:</p> > <security block="action_tags" id="SECURITY_TAG_ID" > report_to="/security.php"> > Here goes the user's data, comments, hmtl, etc. > All harmless html code is rendered, but code enabling tags > (java/script,activex and other not known/implemented dangerous tags) > stuff is ignored. > </security id="SECURITY_TAG_ID"> > ... > The rest of the app's html. > ... > </html> Interesting suggestion. It could be shaped like this: This attribute in every block element: <!ATTLIST ... trust (trusted|marginal|untrusted) trusted > trusted: noop untrusted: scripting elements will be ignored marginal: Well.. this is harder... It would work like this (taking JavaScript as an example). It would replace the "window" global object with another window object with restricted functionality. window.document would have access only to the document fragment inside the area. All of this would be part of the "scripting" module...
Received on Wednesday, 21 August 2002 20:47:37 UTC