A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on IRC (such as one of these permanent autoconfirmed members).

Difference between revisions of "Talk:Sanitization rules"

From WHATWG Wiki
Jump to: navigation, search
(suggest that data URIs require further sanitization)
Line 3: Line 3:
 
* Rob Sayre says no and refers to a wikipedia article; however, I cannot see anything in the [http://en.wikipedia.org/wiki/Data:_URI_scheme article] that indicates the scheme is not safe.
 
* Rob Sayre says no and refers to a wikipedia article; however, I cannot see anything in the [http://en.wikipedia.org/wiki/Data:_URI_scheme article] that indicates the scheme is not safe.
 
** Looking at that wikipedia page, <code>data</code> could only be added if it were followed by an asterisk, kinda like the 756* that I see popping up all over the place these days.  In particular, I don't see the use case which would justify the investment in sanitizing <code>text/html</code> encoded as a data URI.  Not that it would be difficult, just hard to justify.  Perhaps a section could be added which lists safe content types when included in data URIs. -- [[User:Rubys|Rubys]] 03:48, 9 August 2007 (UTC)
 
** Looking at that wikipedia page, <code>data</code> could only be added if it were followed by an asterisk, kinda like the 756* that I see popping up all over the place these days.  In particular, I don't see the use case which would justify the investment in sanitizing <code>text/html</code> encoded as a data URI.  Not that it would be difficult, just hard to justify.  Perhaps a section could be added which lists safe content types when included in data URIs. -- [[User:Rubys|Rubys]] 03:48, 9 August 2007 (UTC)
 +
* Data URIs should be santizable on a per-MIME type basis.  Until a vulnerability is found for text/plain mime types data URIs should be allowed, but other MIME types should be not allowed by default.  Other, safer types could then be allowed via white list. -- [[User:Enricopulatzo|Enricopulatzo]] 16:49, 9 August 2007 (UTC)

Revision as of 16:53, 9 August 2007

Is the data URI scheme safe?

  • Rob Sayre says no and refers to a wikipedia article; however, I cannot see anything in the article that indicates the scheme is not safe.
    • Looking at that wikipedia page, data could only be added if it were followed by an asterisk, kinda like the 756* that I see popping up all over the place these days. In particular, I don't see the use case which would justify the investment in sanitizing text/html encoded as a data URI. Not that it would be difficult, just hard to justify. Perhaps a section could be added which lists safe content types when included in data URIs. -- Rubys 03:48, 9 August 2007 (UTC)
  • Data URIs should be santizable on a per-MIME type basis. Until a vulnerability is found for text/plain mime types data URIs should be allowed, but other MIME types should be not allowed by default. Other, safer types could then be allowed via white list. -- Enricopulatzo 16:49, 9 August 2007 (UTC)