UserPreferences

PaceCodeInjection


Abstract

Alternative to Elliotte's proposed text for dealing with code injection and XSS issues

Status

Proposed

Rationale

Proposal

15.7 Code Injection and Cross Site Scripting

Atom Feed and Entry documents can contain a broad range of content types including 
code that may be executable in some contexts. Malicious clients could attempt to 
attack servers or other clients by injecting code into an APP Collection's entries 
or media resources.  

Server implementations are strongly encouraged to verify that client supplied content 
is safe prior to accepting, processing or publishing it. In the case of HTML, experience 
suggests that verification based on a white list of acceptable content is more effective 
than a black list of forbidden content.

Additional information about XHTML and HTML content safety can be found in Section 8.1 
of [RFC 4287].

Impacts

Notes


CategoryProposals