[
Lists Home |
Date Index |
Thread Index
]
At 01:47 PM 10/26/2002 -0400, Elliotte Rusty Harold wrote:
>However, I suspect it's at least bad enough that browser vendors and other
>XInclude users should be made aware of the issues, and perhaps not
>XInclude by default; or perhaps it would be enough just not to fallback.
>Or perhaps not make the post-inclusion DOM available through scripting. Or
>limit the URLs included to ones from the same host as the base page came
>from. Thoughts?
It reminds me a bit of the issues that David Megginson raised back at XTech
2000:
http://www.xml.com/pub/a/2000/02/xtech/megginson.html
I can't find David's original slides, but it more or less covered the risks
created by wide-open URI processing in a variety of different contexts. It
was prior to XInclude, but pretty interesting stuff. Those tools don't
include a fallback for sending messages back, though!
Simon St.Laurent
"Every day in every way I'm getting better and better." - Emile Coue
|