XSS prevention is a very important and costly part of a Websites Security. Because XSS is currently prevented by matching for JS in user input and is than either blocked or masked by the Web Developer, each on his own site, XSS attacks find differences between the matching of the Web Developer and the Browser, such that the Web Developer's matching doesn't recognize JS as JS, but the Browser executes it.
This is a constant fight between the Web Developer and the XSS attacker, that costs many resources needed somewhere else instead. And this fight favors larger business over small Web developers. I think that this fight can be terminated by letting the Web Developer not guess what the Browser may think to be JS and instead tell him explicitly that somewhere shouldn't be any code. The Browser then behaves in that region like he would have JS disabled. I would do that with a new attribute, called noscripts. Inside an HTML element with noscripts = "true", the Browser handle anything inside that element like JS would be disabled globally. An example HTML would look like this: <!doctype html> <html> ... <div noscripts="true"> <script> // No danger by unescaped <script> tags </script> <button onclick="nor by Event listeners">Click me</button> ... </html> If you know a way to do this without any differences between what the Browser executes and what ever that mechanic lets pass, let me know and let me know why it isn't thought in every HTML/JS Tutorial and every Documentation about Web Development. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
