Securing HTML vs securing HTTP
brad at danga.com
Mon Jan 23 18:52:56 UTC 2006
Likewise, the Perl implementation ignores everything past the </head>.
Presumably blog/CMS software is safer with its global template than the
stuff inside the body.
Josh Hoyt wrote:
> On 1/23/06, Jens Alfke <jens at mooseyard.com> wrote:
>> I haven't looked into the source code of the various
>> OpenID client implementations; are they smart enough to recognize only real
>> <link> tags, not CDATA content?
> I can't speak for other OpenID implementations, but we were very
> careful when implementing our OpenID libraries to ensure that we
> only accept <link> tags when they are in the <head> of an HTML
> document. We have a test suite to make sure that broken HTML does
> not cause us to recognise <link> tags in unexpected places, and to
> inform users of our library what markup will be accepted.
> Unless the OpenID consumer site is trustworthy, the site's use of
> OpenID authentication is meaningless. We hope that users can trust
> sites that use our libraries.
> 1. http://www.openidenabled.com/openid/libraries
> 2. http://www.openidenabled.com/resources/darcsweb?r=python-openid;a=headblob;f=/test/linkparse.txt
More information about the yadis