On Thu, 07 Jun 2007 00:20:18 +0200, Ian Hickson <[EMAIL PROTECTED]> wrote:
Preventing such attacks by a HTML cleaner would require either making a full list of all "forbidden" IDs, class names etc, or imposing Draconian rules upon user-supplied content, completely disallowing such useful attributes like id and class.
I'm not really convinced there's that much use in user-supplied IDs and classes, but the rules needn't be that draconian. The server could automatically prepend the commentN string to IDs and classes.
IDs in user-supplied content are only useful as fragment identifiers for URLs, and mangling them like that defeats this use case because you don't know N before you post the comment, and therefore can't make internal links within the body (and it's also unobvious when you try to make links to parts of your article afterwards).
-- Alexey Feldgendler <[EMAIL PROTECTED]> [ICQ: 115226275] http://feldgendler.livejournal.com
