LJ not correctly parsing <link... > tags.

Wladimir Palant xpoint at gtchat.de
Wed Jul 6 17:38:26 PDT 2005

I don't think consumers need to recognise all HTML entities and I don't 
think they should be able to resolve relative URLs either. OpenID can 
follow the lead of Pingback here: 
http://www.hixie.ch/specs/pingback/pingback#TOC2.2. I also hope to see 
regexps for server autodiscovery in the OpenID spec so that one can 
really rely on every consumer doing the same thing with the page. While 
HTML compliance is a nice feature, simplicity and reliability is more 

Something also missing from the spec is a clear statement about the 
location of link tags - consumers MUST reject any link tag that isn't 
located inside the document head. HTML injection vulnerabilities are 
very common, one shouldn't make it too easy for the abusers.


More information about the yadis mailing list