[whatwg] base64 entities
Julian Reschke
julian.reschke at gmx.de
Fri Aug 27 02:23:57 PDT 2010
On 27.08.2010 00:45, Adam Barth wrote:
> ...
> Escaping just those character is insufficient. The appeal of this
> approach is that authors don't need the right blacklist of dangerous
> characters. By the way, there are already folks doing something
> similar manually now. They send the untrusted bytes as base64 and
> decode them using JavaScript.
That sounds like a good idea which doesn't have the deployment problem.
> ...
> On Thu, Aug 26, 2010 at 1:30 PM, Julian Reschke<julian.reschke at gmx.de> wrote:
>> I now get the point about the additional problems in script, but I fail to
>> see how the proposal addresses this, unless expanding these entities is
>> suppose to happen *after* parsing the script.
>
> Yes. That's precisely what happens.
Ok. To be clear: the same applies to HTML entities in text/html, but not
for XML entities in application/xhtml+xml (because of the different
handling of <script> content).
So, what's the implication for XHTML?
Best regards, Julian
More information about the whatwg
mailing list