- From: Ahmed Saad <ahmed.lists@gmail.com>
- Date: Sat, 19 Aug 2006 16:25:22 +0300
- To: www-html@w3.org
Hello all, I'm no expert on (X)HTML but I had an idea that I think might help implement more secure web applications, in more specific words, protecting users against XSS attacks. The idea is to add a "nocode" (or a more descriptive name) attribute to elements that hints the browser to not execute any client-side code found within that element. For example, a content management system or a blog software that allows comments on some entry might use the following markup .. <div id="comment123" nocode="true"> <script type="text/javascript">alert('This piece of code will not be executed even though it evaded the server-side filter');</script> </div> Of course it's not a complete alternative to server-side filters, but it would act as a secondary safe guard solidifying a "defense in depth" approach. Comments are welcome. Regards, Ahmed
Received on Sunday, 20 August 2006 02:13:36 UTC