Issue
-----
No discussion is made about the merits of escaping content which will
be transformed into structured comments. For example, the following
fragment might be used to smuggle content into the script:
<displayblock><trouble>*/
if header :contains "from" "enemy(_at_)example(_dot_)edu" {
discard;
}
/*</trouble></displayblock>
Proposal
--------
To "4.2. Structured Comments" Add:
If "*/" is found in the XML content, when mapped into a comment it
would prematurely terminate that comment. Escaping of this sequence
would often be inconvenient for processors. Editors SHALL NOT include
"*/" within displayblock, displaydata or foreign markup. Processors MAY
regard documents containing "*/" in foreign markup, displayblock
or displaydata as invalid.
This seems like a reasonable restriction to document.
To "5. Security Considerations" Add:
Little effective protection can be offered by a processor to the user
of a malicious editor.
Others have pointed out that this is a more general issue for Sieve and
not specific to this document. That said, the security considerations
section here really should point out that the trust conferred on editors
must also be conferred on XML conversion components. I'm going to add
a statement to that effect.
Ned