- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Wed, 2 Apr 2008 19:07:57 +0300
- To: Bruce Miller <bruce.miller@nist.gov>
- Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
On Apr 2, 2008, at 18:58, Bruce Miller wrote: > > Henri Sivonen wrote: >> On Apr 2, 2008, at 18:29, Bruce Miller wrote: >>> A minor question: >>> Is handling <whatevertag/> in HTML5 really a problem? >> Yes. Consider the security implications of different browsers and >> gatekeepers considering different things executable with <script/>. > > I'm trying, but I don't get it. > I guess you're saying that with something like: > <script/> > do_dangerous_stuff(); > </script> > that some agents would think the dangerous stuff is executable, > and others would think it's not? > > If so, then that's really my point: HTML5 could specify, > eg. that <script/> is empty. Then, whether or not </script> > `auto opens' another <script> in front of, or behind, or whereever, > do_dangerous_stuff(), well that's up to the HTML5 spec as well > (I haven't thought enough about it to have a preference; > just tell me which it is) > > Or if you're saying that there are security implications of > software having bugs, or not following specs... Gatekeeper applying the rule "/> always closes" would determine that do_dangerous_stuff(); is not executable but existing browsers would still run it. Of course, this is the wrong way to write a gatekeeper. The right way is *never* to pass through original source but to always run a parser, followed by sanitizer, followed by serializer. However, we can't expect people who write gatekeepers to be competent. >>> _Surely_, no one out there is writing HTML using <whatevertag/> >>> when they _dont_ mean to close the element?!?!?! >> Oh, there are people who *think* they are closing and element with >> <whatevertag/>. > > Well, that was really my point: > Why not specify that it _does_ close the element? Because it would change parsing of existing pages--possibly in ways that would "break" the pages. >> I think it is pretty safe to say that some of them end up relying >> on the actual layout or form behavior they get when <whatevertag/> >> doesn't close the element, but I don't have data to support this >> claim. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Wednesday, 2 April 2008 16:08:50 UTC