From: Tollef Fog Heen [tollef@ADD.NO]
Sent: Monday, October 09, 2000 5:07 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: Cross site scripting: a long term fix

* Zag Zig

| 1.6. Proposal to add a safe quoting tag to HTML
|
| The HTMLEncode solution above is better than filtering.
| I propose that a solution for quoting markup should be built into
| the HTML specification and therefore made available to all servers
| for use with both static and dynamically generated text.

Which is has been, but was then deprecated and is now obsoleted, from
html-2.1e (from the IETF).

<!ENTITY % literal "CDATA"
        -- historical, non-conforming parsing mode where
           the only markup signal is the end tag
           in full
        -->

<!ELEMENT (XMP|LISTING) - -  %literal>

It didn't have the same options as yours (adding stuff to the ending
tags etc), and caused problems.

It is probably better to add a tag which means something like 'get
this URI, insert it here, but treat it like mime/type (or let the
server which returns it decide)'.

IMHO, my 0.02$

--

Tollef Fog Heen
Unix _IS_ user friendly... It's just selective about who its friends are.