On Mar 29, 2013, at 4:21 PM, Paul Libbrecht <p...@hoplahup.net> wrote:
> Nice catch for this example you provide below. > The "solution" to this issue would be to simply empty the script element > instead of stripping it away. Right? Unfortunately, that approach won't be backward compatible. Also, it's somewhat dangerous to leave an empty script element in the document. > In your original mail, however, you write: >> It would be great to mention what kind of manipulations user agents are >> allowed to do to make the pasted content secure. > > > I think this claim is exactly why Halvord has removed the sanitization > section. It seems highly implementation dependent to decide on the security > of a fragment of content. > I feel the section on the sanitization should be expressed with "should" > expressing recommendations such as that of emptying script elements or > replacing object or embed elements by a corresponding images. I'm pretty > sure conservative approaches will start by doing a similar replacement with > video elements, for example, but might include them after some other > introspection (e.g. that it is not pulling from a streaming source). The section was removed due to lack of implementations. I'm fine with not having an explicit algorithm. However, there appears to be a significant interoperability issue if we were to not define what user agents may or may not do. - R. Niwa