On Sat, 29 Jan 2005 06:06:54 +0100, Asbjørn Ulsberg
<[EMAIL PROTECTED]> wrote:
> On Fri, 28 Jan 2005 13:21:08 -0800, Tim Bray <[EMAIL PROTECTED]> wrote:
>
> > Whereas you could technically get by with warning-by-reference, I think
> > that it's OK and fact probably essential to point out that <img> and
> > <script> and <object> and so on; are potentially lethal;
>
> I agree. However, it is impossible to write a specification today about
> security issues we don't know of, but those we do know, like the elements
> you mention, should also be mentioned in the specification.
>
> > I thought Joe got about the right level, except for the "what to do"
> > stuff.
>
> Yep. If he leaves that out of the pace, I'm all +1 to it.
Glad to hear it. I have changed the wording of the Pace
to remove all the 'what to do' text.
"The following is a short list of the potential problems that
processing and displaying markup can cause. This list is
not comprehensive and every consumer of Atom must
consider carefully which elements and attributes are
appropriate to process and display."
Again, I'd be open to security by reference if we could point
to a source or sources that were at least as comprehensive
as the list in the Pace. Given the dearth of resources found
so far, should we consider putting together an informational
RFC on Security Concerns for Processing and
Displaying (X)HTML? Is there a more
appropriate WG for that work to take place in.
-joe
--
Joe Gregorio http://bitworking.org
