[whatwg] Trying to work out the problems solved by RDFa
Ben Adida
ben at adida.net
Fri Jan 9 15:38:42 PST 2009
Tab Atkins Jr. wrote:
> To answer your specific question, <title> is under the control of the
> site author, and search engines already have elaborate methods to tell
> a spammy site from a hammy one, thus downranking them.
And RDFa is also entirely under the control of the site author.
> On the other hand, the hypothetical attack scenario I outlined was
> about metadata that could be added to the page by external parties.
I thought your attack concerned both author markup and commenter markup.
But it seems we agree on author markup: no additional risk there.
So on to commenter markup.
Most blogging software already white-lists the HTML elements and
attributes they allow, otherwise they are easily hacked with XSS. This
means that, by default, most blogging software will strip RDFa from
comments, which is exactly the right approach, since comments should not
have authority over the structured data of the page.
-Ben
More information about the whatwg
mailing list