Re: Proposal: HTML tag to disable active content

[Mitchell Stoltz]

Interesting idea. We'd have to think about whether there would be any way for the malicious cross-site scripter to get the value of the random key attribute. If they could do so, they could generate a valid closing tag and proceed with active content.

It would be great to feellike there was something we could do about cross-site scripting on the browser end, however it's fundamentally a server configuration problem, and I think Ben's concerns are valid - a server-side library is a more robust solution which would cover all browsers, not just ours.
-Mitch


Ben Bucksch wrote:

IIRC, the argument on the www-html list was to make server-side libs.