- From: Mark Birbeck <mark.birbeck@x-port.net>
- Date: Sun, 20 Aug 2006 21:00:37 +0100
- To: "Ahmed Saad" <ahmed.lists@gmail.com>
- Cc: www-html@w3.org
Ahmed,
Interesting idea. Have you seen the @role attribute in XHTML 2, which
is being developed as a standalone module so that it can be used in
XHTML 1.x? That may be another way to implement the kind of thing you
are talking about, without the need for more attributes.
Regards,
Mark
On 19/08/06, Ahmed Saad <ahmed.lists@gmail.com> wrote:
>
> Hello all,
>
> I'm no expert on (X)HTML but I had an idea that I think might help
> implement more secure web applications, in more specific words,
> protecting users against XSS attacks. The idea is to add a "nocode"
> (or a more descriptive name) attribute to elements that hints the
> browser to not execute any client-side code found within that element.
> For example, a content management system or a blog software that
> allows comments on some entry might use the following markup ..
>
> <div id="comment123" nocode="true">
> <script type="text/javascript">alert('This piece of code will not be
> executed even though it evaded the server-side filter');</script>
> </div>
>
> Of course it's not a complete alternative to server-side filters, but
> it would act as a secondary safe guard solidifying a "defense in
> depth" approach. Comments are welcome.
>
>
> Regards,
> Ahmed
>
>
>
>
--
Mark Birbeck
CEO
x-port.net Ltd.
e: Mark.Birbeck@x-port.net
t: +44 (0) 20 7689 9232
w: http://www.formsPlayer.com/
b: http://internet-apps.blogspot.com/
Download our XForms processor from
http://www.formsPlayer.com/
Received on Sunday, 20 August 2006 20:00:46 UTC