Securing HTML vs securing HTTP

Brad Fitzpatrick brad at danga.com
Mon Jan 23 18:52:56 UTC 2006


Jens,

Likewise, the Perl implementation ignores everything past the </head>.

Presumably blog/CMS software is safer with its global template than the 
stuff inside the body.

- Brad


Josh Hoyt wrote:
> Jens,
> 
> On 1/23/06, Jens Alfke <jens at mooseyard.com> wrote:
>> I haven't looked into the source code of the various
>> OpenID client implementations; are they smart enough to recognize only real
>> <link> tags, not CDATA content?
> 
> I can't speak for other OpenID implementations, but we were very
> careful when implementing our OpenID libraries[1] to ensure that we
> only accept <link> tags when they are in the <head> of an HTML
> document. We have a test suite[2] to make sure that broken HTML does
> not cause us to recognise <link> tags in unexpected places, and to
> inform users of our library what markup will be accepted.
> 
> Unless the OpenID consumer site is trustworthy, the site's use of
> OpenID authentication is meaningless. We hope that users can trust
> sites that use our libraries.
> 
> Josh
> 
> 1. http://www.openidenabled.com/openid/libraries
> 2. http://www.openidenabled.com/resources/darcsweb?r=python-openid;a=headblob;f=/test/linkparse.txt
> 



More information about the yadis mailing list