Re: "/>" (was Re: several messages about New Vocabularies in text/html

Henri Sivonen wrote:
> On Apr 2, 2008, at 18:29, Bruce Miller wrote:
>> A minor question:
>> Is handling <whatevertag/> in HTML5 really a problem?
> 
> Yes. Consider the security implications of different browsers and 
> gatekeepers considering different things executable with <script/>.

I'm trying, but I don't get it.
I guess you're saying that with something like:
  <script/>
     do_dangerous_stuff();
  </script>
that some agents would think the dangerous stuff is executable,
and others would think it's not?

If so, then that's really my point: HTML5 could specify,
eg. that <script/> is empty.  Then, whether or not </script>
`auto opens' another <script> in front of, or behind, or whereever,
do_dangerous_stuff(), well that's up to the HTML5 spec as well
(I haven't thought enough about it to have a preference;
 just tell me which it is)

Or if you're saying that there are security implications of
software having bugs, or not following specs... 

>> _Surely_, no one out there is writing HTML using <whatevertag/>
>> when they _dont_ mean to close the element?!?!?!
> 
> Oh, there are people who *think* they are closing and element with 
> <whatevertag/>.

Well, that was really my point:
 Why not specify that it _does_ close the element?

> I think it is pretty safe to say that some of them end up relying on the 
> actual layout or form behavior they get when <whatevertag/> doesn't 
> close the element, but I don't have data to support this claim.
> 


-- 
bruce.miller@nist.gov
http://math.nist.gov/~BMiller/

Received on Wednesday, 2 April 2008 15:59:53 UTC