Cart
[Home] [By Thread] [By Date] [Recent Entries]
At 01:47 PM 10/26/2002 -0400, Elliotte Rusty Harold wrote: >However, I suspect it's at least bad enough that browser vendors and other >XInclude users should be made aware of the issues, and perhaps not >XInclude by default; or perhaps it would be enough just not to fallback. >Or perhaps not make the post-inclusion DOM available through scripting. Or >limit the URLs included to ones from the same host as the base page came >from. Thoughts? It reminds me a bit of the issues that David Megginson raised back at XTech 2000: http://www.xml.com/pub/a/2000/02/xtech/megginson.html I can't find David's original slides, but it more or less covered the risks created by wide-open URI processing in a variety of different contexts. It was prior to XInclude, but pretty interesting stuff. Those tools don't include a fallback for sending messages back, though! Simon St.Laurent "Every day in every way I'm getting better and better." - Emile Coue
|
