Sam Ruby wrote:
It seems to me that we have an obligation to either (1) disallow HTML, or (2) mitigate allowing HTML by providing a security section such as this one.
If (2) can be solved by reference, then that clearly would be preferred. But to date, no such reference has been found.
So, engaging in bad specification practice[0] is the answer? HTML security is a problem for the W3C and/or an HTML-WG. Existing RFCs constitute the IETF's definition of adequate security coverage for HTML. If we want to change the status quo in our document, we need to say that we're updating those RFCs at the top of our document.
Robert Sayre
[0] http://www.imc.org/atom-syntax/mail-archive/msg12625.html
