anomy-list

Re: Defanging <STYLE>

From: David Santinoli (76435@xyz.molar.is)
Date: Wed 07 May 2003 - 08:26:50 GMT

  • Next message: Bjarni R. Einarsson: "Re: Defanging <STYLE>"

    On Wed, May 07, 2003 at 12:11:36AM +0000, Bjarni R. Einarsson wrote:
    > On 2003-05-07, 01:45:58 (+0200), David Santinoli wrote:
    > > There seems to be no previous mention whatsoever of my specific case
    > > in the archives, which puzzles me: am I really the first one to
    > > notice this gross misbehaviour (maybe due to its neglectable impact
    > > on rendered content in most cases) or am I missing something?
    >
    > Yes. :-) It's not a bug, it's a feature.
    >
    > When the HTML cleaner was written I didn't have the skills or
    > resources to appraise the security implications of CSS styles, so
    > I defanged them.
    >
    > I haven't had time to write such a beast yet though, so for now
    > STYLE blocks are defanged completely.

    Don't get me wrong, I'm not criticizing the concept of defanging STYLE.
    I'm just pointing out that IMO the sequence

      <style></style>

    should be translated into

      <DEFANGED_style_0></DEFANGED_style_0>

    and not into

      <DEFANGED_style_0 </style>

    (note the missing '>' in the first tag, and the two tags' mismatch; this
    is the "gross misbehaviour" I was referring to in my previous mail).
    How dare you call this a feature? :-)

    Cheers,
     David

    -- 
     David Santinoli, Milano             +   <76519@xyz.molar.is>
     Independent Linux/Unix consultant   +   http://www.santinoli.com
    



    hosted by molar.is