Abstract
Alternative to Elliotte's proposed text for dealing with code injection and XSS issues
Status
Proposed
Rationale
Proposal
15.7 Code Injection and Cross Site Scripting Atom Feed and Entry documents can contain a broad range of content types including code that may be executable in some contexts. Malicious clients could attempt to attack servers or other clients by injecting code into an APP Collection's entries or media resources. Server implementations are strongly encouraged to verify that client supplied content is safe prior to accepting, processing or publishing it. In the case of HTML, experience suggests that verification based on a white list of acceptable content is more effective than a black list of forbidden content. Additional information about XHTML and HTML content safety can be found in Section 8.1 of [RFC 4287].