[whatwg] Stability of tokenizing/dom algorithms
Ian Hickson
ian at hixie.ch
Mon Dec 15 13:30:21 PST 2008
On Mon, 15 Dec 2008, Edward Z. Yang wrote:
>
> > I wouldn't really worry about "4" vs "5". What matters is what works
> > in browsers, or whatever tools your users are using. (This is one
> > reason in HTML5 we do away with having the version number in the
> > DOCTYPE.) I'd recommend just using the HTML5 DOCTYPE and then
> > filtering the content to be whatever you want it to be.
>
> HTML Purifier puts a high value on standards-compliance, and we've been
> attacked on several occasions because of it. "Standards suck." To this I
> have to say, standards compliance has helped defend against a number of
> XSS attacks--enforcing it lowers attack surface and makes behavior much
> more well-defined. So I feel like it's a goal worth striving for, in and
> of itself, especially since you can't enforce semantics with computers.
I'm not saying don't be standards-compliant; I'm just saying use a subset
of HTML5 that you feel comfortable with (which might also be a subset of
HTML4, for that matter, just with the HTML5 DOCTYPE so that you don't have
to worry about exactly which version you want to follow).
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list