On 27.08.2010 00:45, Adam Barth wrote:
...
Escaping just those character is insufficient. The appeal of this
approach is that authors don't need the right blacklist of dangerous
characters. By the way, there are already folks doing something
similar manually now. They send the untrusted bytes as base64 and
decode them using JavaScript.
That sounds like a good idea which doesn't have the deployment problem.
> ...
On Thu, Aug 26, 2010 at 1:30 PM, Julian Reschke<julian.resc...@gmx.de> wrote:
I now get the point about the additional problems in script, but I fail to
see how the proposal addresses this, unless expanding these entities is
suppose to happen *after* parsing the script.
Yes. That's precisely what happens.
Ok. To be clear: the same applies to HTML entities in text/html, but not
for XML entities in application/xhtml+xml (because of the different
handling of <script> content).
So, what's the implication for XHTML?
Best regards, Julian
