[whatwg] base64 entities
Boris Zbarsky
bzbarsky at MIT.EDU
Thu Aug 26 13:25:46 PDT 2010
On 8/26/10 4:10 PM, Aryeh Gregor wrote:
> On Thu, Aug 26, 2010 at 5:58 AM, Julian Reschke<julian.reschke at gmx.de> wrote:
>> Not convinced. There's already one way to escape these things, and this is
>> supported in all UAs.
>
> Adam gave two examples of cases where htmlspecialchars() is
> insufficient, even if authors do use it. This proposal is completely
> general and will work anywhere, even in<script>.
Sorta. It'll let you put the data in <script>, but it won't verify that
the data doesn't change the meaning of the script, obviously, or inject
script of its own to run.
> Is automated general escaping even possible right now in<script> for text/html?
Defined how?
-Boris
More information about the whatwg
mailing list