Interesting idea. We'd have to think about whether there would be any
way for the malicious cross-site scripter to get the value of the random
key attribute. If they could do so, they could generate a valid closing
tag and proceed with active content.
It would be great to feellike there was something we could do about
cross-site scripting on the browser end, however it's fundamentally a
server configuration problem, and I think Ben's concerns are valid - a
server-side library is a more robust solution which would cover all
browsers, not just ours.
-Mitch
Ben Bucksch wrote:
IIRC, the argument on the www-html list was to make server-side libs.