Security Markup

Hello all,

I'm no expert on (X)HTML but I had an idea that I think might help
implement more secure web applications, in more specific words,
protecting users against XSS attacks.  The idea is to add a "nocode"
(or a more descriptive name) attribute to elements that hints the
browser to not execute any client-side code found within that element.
For example, a content management system or a blog software that
allows comments on some entry might use the following markup ..

<div id="comment123"  nocode="true">
<script type="text/javascript">alert('This piece of code will not be
executed even though it evaded the server-side filter');</script>
</div>

Of course it's not a complete alternative to server-side filters, but
it would act as a secondary safe guard solidifying a "defense in
depth" approach. Comments are welcome.


Regards,
Ahmed

Received on Sunday, 20 August 2006 02:13:36 UTC