[17118] in bugtraq
Re: Cross site scripting: a long term fix
daemon@ATHENA.MIT.EDU (Tollef Fog Heen)
Mon Oct 9 16:10:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <87vgv2o023.fsf@manon.intern.opera.no>
Date: Mon, 9 Oct 2000 11:07:00 +0200
Reply-To: Tollef Fog Heen <tollef@ADD.NO>
From: Tollef Fog Heen <tollef@ADD.NO>
X-To: ZagZig@BIGFOOT.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Zag Zig's message of "Sat, 7 Oct 2000 06:50:24 +0900"
* Zag Zig
| 1.6. Proposal to add a safe quoting tag to HTML
|
| The HTMLEncode solution above is better than filtering.
| I propose that a solution for quoting markup should be built into
| the HTML specification and therefore made available to all servers
| for use with both static and dynamically generated text.
Which is has been, but was then deprecated and is now obsoleted, from
html-2.1e (from the IETF).
<!ENTITY % literal "CDATA"
-- historical, non-conforming parsing mode where
the only markup signal is the end tag
in full
-->
<!ELEMENT (XMP|LISTING) - - %literal>
It didn't have the same options as yours (adding stuff to the ending
tags etc), and caused problems.
It is probably better to add a tag which means something like 'get
this URI, insert it here, but treat it like mime/type (or let the
server which returns it decide)'.
IMHO, my 0.02$
--
Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.
