RE: is it possible to handle an XML/HTML elements attribute via the URI? from Matthew Millar on 2010-10-30 (uri@w3.org from October 2010)

From: Matthew Millar <mattmill30@hotmail.com>
Date: Sun, 31 Oct 2010 00:09:02 +0100
To: <usenet2010@cfaerber.name>, <uri@w3.org>
Message-ID: <SNT116-W1785B248B18B56B904DE2AC4460@phx.gbl>

Hi Claus,

I haven't got alot of XSS experience, so please correct me if I'm mistaken.

As far as i'm aware, XSS comes into play, when a website or perhaps a server has malicious code or handles a request badly, to the extent that some information gets passed to another website or server, i.e. javascript creating a call to a remote database and recording data from the local machine.

I think this feature could be standardised so it wasn't an XSS threat, however it would have to be strictly specified as to what attributes could be controlled, or perhaps what elements could be handled, i.e. only 100% benign HTML, and CSS.

Thanks,

Matthew Millar

> To: uri@w3.org
> From: usenet2010@cfaerber.name
> Date: Sat, 30 Oct 2010 18:20:53 +0200
> Subject: Re: is it possible to handle an XML/HTML elements attribute via the  URI?
> 
> On 2010-10-28 02:32:41 +0200, Matthew Millar said:
> > This would be extremely useful, if you wanted to highlight a particular 
> > section of a page, or want a particular element to render/behave 
> > differently.
> 
> Which, unfortunately, makes it a perfect attack vector for cross-site 
> scripting (XSS).
> 
> Claus
> 
> 
> 
>

Received on Saturday, 30 October 2010 23:09:35 UTC