On 13 October 2017 at 09:20, Kevin Smith <[email protected]> wrote: > On 12 Oct 2017, at 21:22, Dave Cridland <[email protected]> wrote: >> I hereby promise a concrete proposal on >> these - it ought to handle a few other cases too. > > Ta, I think that’s needed for the discussion. One issue here is that I think > Sam’s argument is that it’s > 1) too tempting, for whatever reason, when you have a chunk of HTML you want > to render to dump it straight into .innerHTML or such without sanitisation > 2) fundamentally impossible to put a sufficient amount of verbiage into > XHTML-IM to mitigate this inclination > 3) not acceptable that we have a spec that leads, through this temptation, to > people injecting straight into the DOM >
Seems a reasonable summary. I might add that: 4) XHTML-IM is a sledgehammer to crack the nut of what users actually want. There *is* generic protection here on modern browsers, mind - you need to render the XHTML inside a sandboxed, CSP'd iframe, I believe. > This leads me to wonder whether the replacement is going to go something like: > > A) There’s a new spec that says *something* should render something in bold > B) Devs implement this by converting *something* into <b>something</b> > C) Devs now have a chunk fo HTML that they want to render > D) See (1) > E) See (2) > F) See (3) > Well, no. Let's say that, given certain handwaving, a UA decides to render *something* as bold, and the implementation does this by <b>something</b>. a) Is it likely that the conversion from a Markdown-like syntax will intentionally generate malicious HTML? b) Is it likely that an attacker could cunningly manipulate a couple of asterisks in order to generate such HTML? c) Is it likely that there will exist a generic attack against virtually every web-based UA? With XHTML-IM, the answer to all three is "yes". With something Markdownish, I don't think it is. Dave. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
