Re: Broken HTML Support: msg#00073 web.openid.general

On Feb 10, 2006, at 3:48 PM, Josh Hoyt wrote:

1. The spec should not take a position on what a relying party does
with broken markup -- except perhaps mentioning that it has to be
dealt with somehow, because:
2. A relying party must be careful to avoid parsing <meta> tags that
are not in the HTML head, regardless of whether the document is valid.

I think we agree then. Now about those test suites. Love the redirection suite, I think it covers everything. But I think there's some ambiguity on the html parsing (best practices) suite. I'll start compiling a well-formed test-suite as a supplement.

I stuck the html files on lines by themselves, separated by blank lines. Sorry if this client wraps lines.

The suite says I can stop early, how do I know when?
<head><html><meta http-equiv="X-YADIS-Location" content="found">

Does this express a XSS concern?
<body><html><head><meta http-equiv="X-YADIS-Location" content="found">

Okay, I understand failing for the first, but don't understand accepting the second
</body><html><head><meta http-equiv="X-YADIS-Location" content="found">

</porky><html><head><meta http-equiv="X-YADIS-Location" content="found">

I'm not sure I agree with accepting this
<head><meta http-equiv="X-YADIS-Location" content="found">

Okay, I get matching this, but how should I respond? call pitch_fit_throw_tantrum_scream_violently() ?
<html><head><meta http-equiv="X-YADIS-Location" content="">

Okay, what pre<html> junk do we ignore, what makes us fail?
<head><html><meta http-equiv="X-YADIS-Location" content="found">

<body><meta http-equiv="X-YADIS-Location" content="found">

<body><html><head><meta http-equiv="X-YADIS-Location" content="found">

Beyond Josh's Suite

Should I return "" or "found"?
<html><head><meta http-equiv="X-YADIS-Location" content=""><meta http- equiv="X-YADIS-Location" content="found">

Perhaps an attribute order test
<html><head><meta content="found" http-equiv="X-YADIS-Location">

Also red-herring attribute tests
<html><head><meta http-equiv="X-YADIS-Location" content="found not- found">
<html><head><meta http-equiv="X-YADIS-Location" junk="blah" content="found">

Should this return found?
<meta http-equiv="X-YADIS-Location" content="not- found"><html><head><meta http-equiv="X-YADIS-Location" content="found">

Joseph Anthony Pasquale Holsten
24R E 24th St Tulsa OK 74114-2406
mailto:pantosys@xxxxxxxxx
xmpp:pantosys@xxxxxxxxx
tel:+1* 918 813 2447

P.S. Have the answers to these questions been answered somewhere?

smime.p7s
Description: S/MIME cryptographic signature

Previous by Date:	Re: Broken HTML Support: 00073, Josh Hoyt
Next by Date:	[ANN] Ruby YADIS Library 0.1.1: 00073, Brian Ellin
Previous by Thread:	Re: Broken HTML Supporti: 00073, Josh Hoyt
Next by Thread:	Re: Broken HTML Support: 00073, Josh Hoyt
Indexes:	[Date] [Thread] [Top] [All Lists]