LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The real killer is HTML

The real killer is HTML

Posted Jun 30, 2004 15:16 UTC (Wed) by iabervon (subscriber, #722)
In reply to: The real killer is HTML by Ross
Parent article: The Grumpy Editor's guide to graphical mail clients

For that matter, executable code, hidden links and text, and display outside of the message area should be prohibited in web browsers as well. Why should the web be any less safe than our mailboxes?

I think HTML really ought to have three levels of functionality: non-interactive documents, documents you interact with in browser-controlled ways (forms), and documents with executable portions (scripts). Only the first of these should count as "text/html", since the others do not fit the definition of "text/*". Probably there ought to be MIME media types added for "form" and "script" (and, while we're at it "style").

HTML isn't really all that complicated if you force documents to be non-interactive, particularly now that experience with XML parsers has elucidated the proper representation for parsed documents. (SGML/HTML being essentially XML damaged in recoverable ways, and parsable by an XML parser that's willing to be not too picky)

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds