On Fri, 28 Jan 2005 13:21:08 -0800, Tim Bray <[EMAIL PROTECTED]> wrote:
Whereas you could technically get by with warning-by-reference, I think that it's OK and fact probably essential to point out that <img> and <script> and <object> and so on; are potentially lethal;
I agree. However, it is impossible to write a specification today about security issues we don't know of, but those we do know, like the elements you mention, should also be mentioned in the specification.
I thought Joe got about the right level, except for the "what to do" stuff.
Yep. If he leaves that out of the pace, I'm all +1 to it.
-- Asbjørn Ulsberg -=|=- http://virtuelvis.com/quark/ «He's a loathsome offensive brute, yet I can't look away»