Back to my original question - judging from the various responses, it seems
that the situation is pretty bad.

If things continue as they are, I don't see how webapps can display 3rd
party HTML safely. There have been a few good suggestions but there still
appears to be no conclusive filter. My sympathies to Yahoo, Hotmail, etc
(incl. ppl here) dealing with this problem.

I thus propose an HTML/XHTML tag to turn off active content. Will such a
tag be desirable to you guys?

e.g.
<activeoff lock="Random_hard_to_guess_string" except="java">
browser deactivates active content modules/parsers except for java.
content here. Active content not displayable (except for java).
</activeoff lock="wrong_string">
Still no active content displayable.
</activeoff lock="Random_hard_to_guess_string">

(I'd like to drop the except option but I'm putting it there for feedback -
it could be useful for those who know what they are doing - they are
confident of filtering certain types of active content safely).

If it's a good and workable idea, I'll go stick my neck out and go try to
pester the w3c or some browser creators. Don't see why they would listen to
me tho. Anyone with clout who can help?

I figure most browser manufacturers have a higher chance of implementing
this tag properly than websites filtering out things properly.

It doesn't solve the problem with old browsers, but I figure while they
(w3c, browser makers) are busy adding lots of features for the commercial
guys why not add this one for us webapp/security guys?

Cheerio,
Link.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]