<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
The most obvious choice is whitelisting, at least for for http-equiv, because the specification is relatively complex.<br /><a href="https://www.w3.org/TR/html401/struct/global.html#edef-META" target="_blank">https://www.w3.org/TR/html401/struct/global.html#edef-META</a><br /><br />Whitelisting for name attribute might be less usable, but I do not know whether it is important to add keywords for search engines these days. Probably not.<br /><a href="https://www.w3.org/TR/html401/appendix/notes.html#recs" target="_blank">https://www.w3.org/TR/html401/appendix/notes.html#recs</a><br /><br />Personally I am interested to see support for the use cases below.<br /> <meta charset="utf-8"/><br /> <meta http-equiv="X-UA-Compatible" content="IE=edge"/><br /> <meta name="viewport" content="width=device-width, initial-scale=1.0"/><br /><br />At the moment I just define meta as <br />val meta : unit -> tag [Nam = string, Content = string, Http_equiv = string, Charset = string] head [] [] []<br /><br /><br />16. Apr 2016 10:35 by <a href="mailto:adamc@csail.mit.edu" target="_blank">adamc@csail.mit.edu</a>:<br /><br /><blockquote class="tutanota_quote" style="border-left: 1px solid #93A3B8; padding-left: 10px; margin-left: 5px;">Someone recently requested a nice way to include a <meta name="viewport" content="..."> tag in Ur/Web. It doesn't seem safe to expose <meta> in its most general form, with type [string] for each attribute, since it seems like browsers could interpret those strings in quite arbitrary ways, which goes against Ur/Web's philosophy about implicit interpretation of strings as programs.<br /><br />Are there any opinions, then, on the right way to expose this tag?<br /><br />My first thought is to add an application-level whitelist of which <meta> names are allowed, just as with HTTP header names. Then the 'content' attribute could be exposed as [string], while the 'name' attribute would have an abstract type of allowable names. The programmer would need to be careful not to whitelist names that can lead to mayhem.<br /><br />_______________________________________________<br />Ur mailing list<br /><a target="_blank" href="mailto:Ur@impredicative.com">Ur@impredicative.com</a><br /><a target="_blank" href="http://www.impredicative.com/cgi-bin/mailman/listinfo/ur">http://www.impredicative.com/cgi-bin/mailman/listinfo/ur</a></blockquote> </body>
</html>