Securing HTML vs securing HTTP

Brad Fitzpatrick brad at
Mon Jan 23 18:52:56 UTC 2006


Likewise, the Perl implementation ignores everything past the </head>.

Presumably blog/CMS software is safer with its global template than the 
stuff inside the body.

- Brad

Josh Hoyt wrote:
> Jens,
> On 1/23/06, Jens Alfke <jens at> wrote:
>> I haven't looked into the source code of the various
>> OpenID client implementations; are they smart enough to recognize only real
>> <link> tags, not CDATA content?
> I can't speak for other OpenID implementations, but we were very
> careful when implementing our OpenID libraries[1] to ensure that we
> only accept <link> tags when they are in the <head> of an HTML
> document. We have a test suite[2] to make sure that broken HTML does
> not cause us to recognise <link> tags in unexpected places, and to
> inform users of our library what markup will be accepted.
> Unless the OpenID consumer site is trustworthy, the site's use of
> OpenID authentication is meaningless. We hope that users can trust
> sites that use our libraries.
> Josh
> 1.
> 2.;a=headblob;f=/test/linkparse.txt

More information about the yadis mailing list