- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Mon, 21 Aug 2006 15:34:24 +0200
- To: "Ahmed Saad" <ahmed.lists@gmail.com>
- Cc: www-html@w3.org
* Ahmed Saad wrote: >For the sake of clarity, the example I wrote was overly simplistic to >get the idea across. Of course any reasonably coded filter can handle >such example but "real world" XSS vulnerabilities are never that >simple. Virtually all real world web site script injection flaws are extremely trivial ones, actually. As for dealing with browser vendors making it more and more difficult to filter all the bad stuff out, that is indeed a problem, but you'd have a much better 80/20 solution if you introduce a processing instruction that prevents script execution from anywhere but external scripts from the same site as the document. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Weinh. Str. 22 · Telefon: +49(0)621/4309674 · http://www.bjoernsworld.de 68309 Mannheim · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Monday, 21 August 2006 13:41:15 UTC