[whatwg] Web Forms 2.0 comments - [ID] repetition index replacement
fantasai.lists at inkedblade.net
Tue Jun 22 11:15:55 PDT 2004
Ian Hickson wrote:
> On Tue, 15 Jun 2004, fantasai wrote:
>>Change the replacement punctuation from "[id]" to "-.id.-" or ":-id-:" or
>>something like that. This has two advantages:
>> a) The combination of that very unusual punctuation sequence (both
>> opening and closing) /and/ an exact match of the template ID is
>> going to be so rare as to be practically ignorable.
> Malicious users could trivially work out the combination that would break
> this, so I don't think that's a solution to the problem.
the way you used it to insert a style sheet into that CSS Test Suite.
They could do that to any page they wanted, in any element attribute they
wanted, without relying on the author supplying a repeat template *and*
using repetition index replacement in the *value* of a form control, which
itself would not be common. They could fake the form data, they could edit
the HTML doc itself, they could write their own malicious UA -- there are
many, many things malicious users could do for which the server needs to
have some safeguard, and this is the least of them.
The consideration here is accidentally matching the string of code, not
intentionally matching it.
>> b) ID and NAME attributes using the replacement mechanism can still
>> be valid.
> That's a good point though. I'm not sure I like "-.id.-" or ":-id-:", or
> ".id:" or "_id-" or other combinations I've looked at, though.
> ...hmm, none of those leap out at me.
I prefer the "use two bits of punctuation symmetrically" approach.
Using just a single one seems unwise; it's much more common.
"-:id:-" looks reasonable, I guess, if you're going for aesthetics.
I picked :-id-: 'coz it would be even rarer, and it does hold together
as a sort of visual box.
More information about the whatwg