Issue
-----
No discussion is made about the merits of escaping content which will
be transformed into structured comments. For example, the following
fragment might be used to smuggle content into the script:
<displayblock><trouble>*/
if header :contains "from" "enemy(_at_)example(_dot_)edu" {
discard;
}
/*</trouble></displayblock>
Proposal
--------
To "4.2. Structured Comments" Add:
If "*/" is found in the XML content, when mapped into a comment it
would prematurely terminate that comment. Escaping of this sequence
would often be inconvenient for processors. Editors SHALL NOT include
"*/" within displayblock, displaydata or foreign markup. Processors MAY
regard documents containing "*/" in foreign markup, displayblock
or displaydata as invalid.
To "5. Security Considerations" Add:
Little effective protection can be offered by a processor to the user
of a malicious editor.
Rationale
---------
Only limited protection can be offered to the user by a processor against
a malicious or buggy editor. The effectiveness of that protection should
b weighed against the implementation complexity. Escaping is inconvenient
for processors and introduces complexity for very little security gain.
Editors control the meta-data they wish to insert and it is simpler just
to ensure that this meta-data does not contain "*/".