[whatwg] base64 entities

Julian Reschke julian.reschke at gmx.de
Fri Aug 27 02:23:57 PDT 2010


On 27.08.2010 00:45, Adam Barth wrote:
> ...
> Escaping just those character is insufficient.  The appeal of this
> approach is that authors don't need the right blacklist of dangerous
> characters.  By the way, there are already folks doing something
> similar manually now.  They send the untrusted bytes as base64 and
> decode them using JavaScript.

That sounds like a good idea which doesn't have the deployment problem.

 > ...
> On Thu, Aug 26, 2010 at 1:30 PM, Julian Reschke<julian.reschke at gmx.de>  wrote:
>> I now get the point about the additional problems in script, but I fail to
>> see how the proposal addresses this, unless expanding these entities is
>> suppose to happen *after* parsing the script.
>
> Yes.  That's precisely what happens.

Ok. To be clear: the same applies to HTML entities in text/html, but not 
for XML entities in application/xhtml+xml (because of the different 
handling of <script> content).

So, what's the implication for XHTML?

Best regards, Julian



More information about the whatwg mailing list