UserPreferences

PaceSecuritySection


Abstract

Simplified text for Section 10

Status

Open

Related and Conflicting Proposals

PaceFormatSecurity

Rationale

Based on WG discussion and feedback from IETF

Proposal

Insert as the body of section 10:

10.1 HTML and XHTML Content

Text Constructs and atom:content allow the delivery of HTML and XHTML to receiving software, which may process it. Many elements in these languages are considered 'unsafe' in that they open clients to one or more types of attack. Implementers of software which processes Atom should carefully consider their handling of every type of element when processing incoming (X)HTML in Atom documents. See the security sections of RFC 2854 and HTML 4.01 for guidance.

Atom Processors should pay particular attention to the security of the IMG, SCRIPT, EMBED, OBJECT, FRAME, FRAMESET, IFRAME, META, and LINK elements, but other elements may also have negative security properties.

(X)HTML can either directly contain or indirectly reference executable content.

10.1.1 URIs

Atom Processors handle URIs. See Section 7 of RFC 3986.

10.1.2 IRIs

Atom Processors handle IRIs. See Section 8 of RFC 3987.

Impacts

Notes


CategoryProposals