- From: David Woolley <forums@david-woolley.me.uk>
- Date: Fri, 10 Aug 2007 08:05:16 +0100
- To: www-html@w3.org
Lincoln Yeoh wrote: > I think it's way overdue to have a security oriented tag to disable > unwanted features. I proposed something like this here 5 years ago > (2002), and I'm back here to propose it again. Where were you when Google implemented this wrongly, by using attributes on links that were potentially link spam because they were third party sourced? > > Recap on why such tags are needed: I presume you mean element, not tag. > > With such tags you can give hints to the browsers to disable unwanted > stuff between the tags, so that even if your site's filtering is In a semantic language, like XHTML (your examples are for XHTML, not HTML), you should not attempt to tell the browser what to do, you should simply tell it that some content is from an unvetted third party source. > > <restricton lock="Random_hard_to_guess_string" except="java,safe-html" /> As noted, you should not be marking up documents with technology specific directives. > browser ignores features except for java and safe-html. > unsafe content here, but rendered safely by browser > <restrictoff lock="wrong_string" /> Ouch. Shades of tag soup. You have created elements that behave like tag soup use of mis-nested open and close tags. If you really want to do that sort of thing, you should use processing instructions, instead. However, especially as you are already assuming the use of XHTML, you should simply check the enclosed content for well formedness and then set an appropriate untrusted attribute on the containing element. Incidentally, as Google have demonstrated, a elements are not part of safe HTML, so there is no H in safe HTML! -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work.
Received on Friday, 10 August 2007 07:05:38 UTC