Lists Home |
Date Index |
At 01:47 PM 10/26/2002 -0400, Elliotte Rusty Harold wrote:
>However, I suspect it's at least bad enough that browser vendors and other
>XInclude users should be made aware of the issues, and perhaps not
>XInclude by default; or perhaps it would be enough just not to fallback.
>Or perhaps not make the post-inclusion DOM available through scripting. Or
>limit the URLs included to ones from the same host as the base page came
It reminds me a bit of the issues that David Megginson raised back at XTech
I can't find David's original slides, but it more or less covered the risks
created by wide-open URI processing in a variety of different contexts. It
was prior to XInclude, but pretty interesting stuff. Those tools don't
include a fallback for sending messages back, though!
"Every day in every way I'm getting better and better." - Emile Coue