This post originated from an RSS feed registered with Agile Buzz by James Robertson. Original Post: Dangerous HTML? Feed Title: Cincom Smalltalk Blog - Smalltalk with Rants Feed URL: http://www.cincomsmalltalk.com/rssBlog/rssBlogView.xml Feed Description: James Robertson comments on Cincom Smalltalk, the Smalltalk development community, and IT trends and issues in general. Latest Agile Buzz Posts Latest Agile Buzz Posts by James Robertson Latest Posts From Cincom Smalltalk Blog - Smalltalk with Rants

Tim Bray is worried about security issues with more and more developers including HTML processors in their applications. he points to this:

Atom, like various RSS flavors, lets you include HTML in entries. The IETF requires that all specs have a security section. We were hunting around for a suitable reference on HTML threats and didn't find one. If one exists that covers this modern life, I'd love to know.

It boggles my mind that the W3C (I think this is their problem) or the IETF or *someone* haven't dealt with this. With MSHTML, Gecko, and WebKit, we've started to see many developers incorporate HTML in their applications. The population of apps ready to be burned is growing all the time.

As we all know, standards organizations have limited resources, so perhaps they should hold off on the Modularization of MathML X-Forms over SOAP/BEEP with MTOM base-64 content and take the time to document what's out there now.

Meanwhile, someone's mother is clicking on a popup window that's warned her about "DANGER"...

Of course, I'm completely immune to all of those problems in my aggregator - because the HTML processing and display simply doesn't support any of the things that are a problem - and we aren't embedding anything that does.