 |
|
|
|
||
|
|
|
[WWW-HTML Mailing List Archive Home] [Messages By Thread] [Messages By Date] Security Markup
From: Ahmed Saad <ahmed.lists@gmail.com>
Date: Sat, 19 Aug 2006 16:25:22 +0300 Message-ID: <d334e39d0608190625w1d9d8311pbcd68f26a78ab5af@mail.gmail.com> To: www-html@w3.org Hello all, I'm no expert on (X)HTML but I had an idea that I think might help implement more secure web applications, in more specific words, protecting users against XSS attacks. The idea is to add a "nocode" (or a more descriptive name) attribute to elements that hints the browser to not execute any client-side code found within that element. For example, a content management system or a blog software that allows comments on some entry might use the following markup .. <div id="comment123" nocode="true"> <script type="text/javascript">alert('This piece of code will not be executed even though it evaded the server-side filter');</script> </div> Of course it's not a complete alternative to server-side filters, but it would act as a secondary safe guard solidifying a "defense in depth" approach. Comments are welcome. Regards, AhmedReceived on Sunday, 20 August 2006 02:13:36 GMT |
|
||||||||||||||||
