Re: "/>" (was Re: several messages about New Vocabularies in text/html

On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>
> Henri Sivonen wrote:
>> On Apr 2, 2008, at 18:29, Bruce Miller wrote:
>>> A minor question:
>>> Is handling <whatevertag/> in HTML5 really a problem?
>> Yes. Consider the security implications of different browsers and  
>> gatekeepers considering different things executable with <script/>.
>
> I'm trying, but I don't get it.
> I guess you're saying that with something like:
> <script/>
>    do_dangerous_stuff();
> </script>
> that some agents would think the dangerous stuff is executable,
> and others would think it's not?
>
> If so, then that's really my point: HTML5 could specify,
> eg. that <script/> is empty.  Then, whether or not </script>
> `auto opens' another <script> in front of, or behind, or whereever,
> do_dangerous_stuff(), well that's up to the HTML5 spec as well
> (I haven't thought enough about it to have a preference;
> just tell me which it is)
>
> Or if you're saying that there are security implications of
> software having bugs, or not following specs...

Gatekeeper applying the rule "/> always closes" would determine that  
do_dangerous_stuff(); is not executable but existing browsers would  
still run it. Of course, this is the wrong way to write a gatekeeper.  
The right way is *never* to pass through original source but to always  
run a parser, followed by sanitizer, followed by serializer. However,  
we can't expect people who write gatekeepers to be competent.

>>> _Surely_, no one out there is writing HTML using <whatevertag/>
>>> when they _dont_ mean to close the element?!?!?!
>> Oh, there are people who *think* they are closing and element with  
>> <whatevertag/>.
>
> Well, that was really my point:
> Why not specify that it _does_ close the element?

Because it would change parsing of existing pages--possibly in ways  
that would "break" the pages.

>> I think it is pretty safe to say that some of them end up relying  
>> on the actual layout or form behavior they get when <whatevertag/>  
>> doesn't close the element, but I don't have data to support this  
>> claim.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/

Received on Wednesday, 2 April 2008 16:08:50 UTC