Re: Security Markup

> protecting users against XSS attacks.  The idea is to add a "nocode"
> (or a more descriptive name) attribute to elements that hints the

I think this has the same flaw as the recent Google invention of
an attribute that prevents third party content links being followed
in that it is a command to the browser, rather than description
of the content.  I suspect the same descriptive property would actually
have covered both cases.

> browser to not execute any client-side code found within that element.
> For example, a content management system or a blog software that
> allows comments on some entry might use the following markup ..

One needs to consider what happens if the attribute is dynamically 
modified by scripting.

> <div id="comment123"  nocode="true">

Historically, this would have been nocode="nocode", which, by SGML
rules, can be collapsed to simply nocode in HTML.  I don't know 
what the current policy is on this.

PS.  It's a good idea to avoid two word subject that don't obviously
relate to an active topic.  Most of the spam that gets through my
ISP's filters falls into that category these days, i.e. two random
words from the dictionary.  I discarded this unread until I saw the

Received on Monday, 21 August 2006 07:07:58 UTC