Internet Explorer 9 and Firefox 4 will support it, and Microsoft recently touted its advantages. But the upcoming version of HTML, which builds rich Internet application features into the Web programming language and shifts more Web functions to the client machine, also could open up new Web attack vectors.
Security experts say HTML 5, which comes with rich Internet application features baked in, will not only provide better performance and multimedia features, such as video, but also will eliminate the need to manage and maintain browser plug-ins, such as Adobe Flash. "These features are tied in at the design stage," says Josh Abraham, security researcher with Rapid7. "You don't have to load in a third-party plug-in and then upgrade it. Maintaining these third-party [applications] has been a huge issue [for organizations]."

Even so, Abraham says the current HTML 5 specification comes with some security risks of its own. HTML 5 -- which is currently a working draft within the World Wide Web Consortium (W3C) and is expected to be finalized late this year or sometime in 2011 -- moves more Web functions to the client computer.

HTML 5 lets developers store information for a Web application on the client side and offline, Abraham notes. "That means persistent storage on the client for longer periods of time than while a cookie exists...they store this within a file-based client-side database," he says. That opens the door for attackers to wage SQL injection attacks on the client's machine, he says.

The link for this article located at Dark Reading is no longer available.