Re: "/>" (was Re: several messages about New Vocabularies in text/html

Henri Sivonen wrote:
> 
> On Apr 2, 2008, at 19:13, Bruce Miller wrote:
>>
>> Henri Sivonen wrote:
>>> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>>>> I'm trying, but I don't get it.
>>>> I guess you're saying that with something like:
>>>> <script/>
>>>>   do_dangerous_stuff();
>>>> </script>
>>> Gatekeeper applying the rule "/> always closes" would determine that 
>>> do_dangerous_stuff(); is not executable but existing browsers would 
>>> still run it. Of course, this is the wrong way to write a gatekeeper. 
>>> The right way is *never* to pass through original source but to 
>>> always run a parser, followed by sanitizer, followed by serializer. 
>>> However, we can't expect people who write gatekeepers to be competent.
>>
>> Hmm....
>> Can </script> put do_dangerous_stuff(); into a (new) <script>
>> so that "everybody" agrees it's executable?
> 
> Not without creating a gatekeeper problem.

What problem?
They'll treat dangerous stuff as executable whether
they follow the old rules, or the new rules, wont they?

>> What do current browsers do with:
>> <script/>
>>  do_dangerous_stuff();
>> <body>....
>> ?
> 
> 
> The <body> tag becomes part of the script but the script doesn't run, 
> because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1 
> and Opera 9.5 beta.)

I'm tempted to say, "That's a good result"
since the dangerous stuff is not actually executed
according to either old or new rules....
But I suspect you won't be convinced by that... :>
(and I can almost understand why...)

> http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E... 
> 
> 


-- 
bruce.miller@nist.gov
http://math.nist.gov/~BMiller/

Received on Wednesday, 2 April 2008 16:33:12 UTC