[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PaceFormatSecurity


Tim Bray wrote:

On Jan 28, 2005, at 12:55 PM, Robert Sayre wrote:

> I would strike all the details on HTML, leave the first paragraph,
> and refer to the security sections of RFC 2854 and HTML 4.01.


 Whereas you could technically get by with warning-by-reference, I
 think that it's OK and fact probably essential to point out that
 <img> and <script> and <object> and so on; are potentially lethal; I
 thought Joe got about the right level, except for the "what to do"
 stuff.

My problem with the "list" approach is that it can never be exhaustive. For example, it doesn't talk about table cells with a "background" attribute, and other junk that HTML components will happily render. And who knows what the WhatWG will have dreamt up.


Antone Roundy wrote: 

 I took a look at these, and didn't find them particularly
 enlightening. If there were an RFC with a more comprehensive and
 clear explanation of potential security issues with HTML, I wouldn't
 be opposed to simply referring to it, but given that I haven't seen
 one, I'm in favor of including more detail here.

I agree that they could be better. However, the proposed text isn't even close to comprehensive (not that Joe is suggesting it is). I'm in favor of pointing to the best stable references we can and exuding paranoia.

Perhaps we could crib a bit from RFC 2557 (HTML email).[0]

Robert Sayre

[0] http://www.faqs.org/rfcs/rfc2557.html