<div dir="ltr">I'm not sure that I follow - it seems to me that searching for unescaped text and failing is not a reliable solution. As you mention:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr"><div>The problem is 1: that the user can easily write </span> in his comment and bypass the sandbox and 2: it is not backward compatible. </div></div></blockquote><div><br> Say I input "</span>" and the application developer has forgotten to sanitize user input or permits use of the <span> tag (and has done some poor checking for well-formed code). The application may later display a page with my input, thus containing (e.g.): <span sandbox=1> </span> </span>, where "</span>" in the middle is my input.<br>
<br>Is this a span element with unescaped content ("</span>"), or is it malformed HTML? In my eyes, it's the latter and if any UA were to treat it this way, it would be trivial to inject more harmful code. On a side note, would comments be permitted inside a sandbox? Developers may wish to have this functionality, but there is also the concern of a malicious user submitting the string "<!--", which, from some brief testing, appears to cause problems in IE6 and possibly more UAs. I do not have significant experience with parsers so I can't say for sure if these issues are showstoppers but they raise some concerns.<br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div dir="ltr"><div>If the browser finds unescaped content inside a sandbox it should refuse to display the page - thereby forcing the author to fix this immediately.</div>
</div></blockquote><div><br>As mentioned previously on the topic of sandboxes, such a strict failing policy may not be desirable. Perhaps a more gentle approach is only not to render the sandbox's contents and perhaps display an error message in its stead.<br>
<br>Overall, I'm seeing sandbox elements to be weak safety nets. AFAIK, there is no way for a UA alone to perfectly determine what is author- or developer-generated and what is user-submitted; user input must go through some santizing process to be completely safe.<br>
</div><div><br>- James <br></div></div><br></div>