LJ not correctly parsing <link... > tags.

Brad Fitzpatrick brad at danga.com
Wed Jul 6 22:36:34 PDT 2005


On Thu, 7 Jul 2005, Wladimir Palant wrote:

> I don't think consumers need to recognise all HTML entities and I don't
> think they should be able to resolve relative URLs either. OpenID can
> follow the lead of Pingback here:
> http://www.hixie.ch/specs/pingback/pingback#TOC2.2. I also hope to see
> regexps for server autodiscovery in the OpenID spec so that one can
> really rely on every consumer doing the same thing with the page. While
> HTML compliance is a nice feature, simplicity and reliability is more
> important.

Thanks for the link!

> Something also missing from the spec is a clear statement about the
> location of link tags - consumers MUST reject any link tag that isn't
> located inside the document head. HTML injection vulnerabilities are
> very common, one shouldn't make it too easy for the abusers.

Added it to the spec.

- Brad


>
> Wladimir
>
>


More information about the yadis mailing list