>From the perspective of a web application programmer and security consultant, I think it would be very useful to have HTML tags to mark HTML sections where active content should be disabled, possibly selected active content.
Right now the HTML environment with respect to potentially dangerous content is: In order to stop, you must make sure that none of the 1001 GO buttons were pressed before. There is no STOP button. No Big Red Emergency Stop button. This seems to be a disaster prone situation. Like driving a car without brakes. Only experts can do it, and typically even they screw up too. I think we need some form of brakes. Something like the following: <activeoff lock="matchingrandomstring" allowed="java" /> Any active content disabled here. Even if slips past site's filters. <activeon lock="matchingrandomstring" /> The disabled active content reenabled. Does not mean everything enabled, just those disabled earlier. (The /> is to make it XHTML compatible ala the BR tag). This would be especially good for sites displaying 3rd party/possibly hostile content- for example: webmail sites (Hotmail, Yahoo), discussion sites (slashdot, kuro5hin, etc), sites displaying syndicated content from other sources, or even search engines. Reasoning: 1) Though sites should still filter any content they display, there have been cases where due to browser parser differences, attackers can still slip in dangerous active content. Sites are unable to deal with the myriad browser bugs. 2) There are too many ways to slip in dangerous content. And the number of ways seems to be increasing not decreasing. 3) There aren't enough tags to disable dangerous content, only way to ensure is to make sure that no dangerous content appears anywhere. 4) With a tag like this, sites can enable active content under their control, whilst reducing the chance that malicious active content will affect their users. Users can thus be more confident about enabling active content. Finally: I have exploited sites just by using IFRAMEs or images alone. So rather than just disabling active content it may actually be good to have a tag that selectively disables stuff, or a "safe HTML only" option, the typical safe HTML sites allow - no images, no IFRAMEs. So maybe instead of activeoff it should be something like: <htmlmode option="safe" allowed="a,table" lock="randomstring"> But implementation complexity could increase. Simplicity is the target - simple = less bugs, easy adoption. If there were tags to disable stuff like this became common usage, it could be very much harder to do mischief. This is not a total solution. There are no 100% solutions in security. This is a safety aid - seat belt, air bag, brakes etc. Just because brakes aren't a 100% solution to driving safely doesn't mean you don't need brakes. I have tried the www-html list, and other places, nothing happened, many people didn't even understand the problem or concept, but still objected anyway. Link.
