- From: Ahmed Saad <ahmed.lists@gmail.com>
- Date: Sat, 19 Aug 2006 16:25:22 +0300
- To: www-html@w3.org
Hello all,
I'm no expert on (X)HTML but I had an idea that I think might help
implement more secure web applications, in more specific words,
protecting users against XSS attacks. The idea is to add a "nocode"
(or a more descriptive name) attribute to elements that hints the
browser to not execute any client-side code found within that element.
For example, a content management system or a blog software that
allows comments on some entry might use the following markup ..
<div id="comment123" nocode="true">
<script type="text/javascript">alert('This piece of code will not be
executed even though it evaded the server-side filter');</script>
</div>
Of course it's not a complete alternative to server-side filters, but
it would act as a secondary safe guard solidifying a "defense in
depth" approach. Comments are welcome.
Regards,
Ahmed
Received on Sunday, 20 August 2006 02:13:36 UTC