Sylvain Hellegouarch wrote:
A slightly revised straw man proposal based on various comments: 15.7 Code Injection Atom Feed and Entry documents can contain almost any text or code you can imagine, including but not limited to SQL, PHP, HTML, CSS, XPath, and XQuery. Servers SHOULD escape all content received from a client after parsing and before storage as necessary to prevent its interpretation as code rather than as data.s/SHOULD/MAY There is no need for a SHOULD here.
Perhaps I'm not phrasing it right, or perhaps there's just genuine disagreement. Some people have pointed out that there are systems in which such injection is not a concern, because the Atom content is never treated as code. That's fine, and that's what I'm trying to say with "as necessary". What I want here is really a conditional SHOULD.
However, I also gather that some people do not feel it is the purpose of the APP spec to mandate security practices that are necessary. That I simply disagree with. Code injection has been too serious a real world problem with the frameworks people will use to build APP servers to make me comfortable with anything less strong.
-- Elliotte Rusty Harold elharo@xxxxxxxxxxxxxxx Java I/O 2nd Edition Just Published! http://www.cafeaulait.org/books/javaio2/ http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/