The European Union's computer security agency warned that the draft HTML5 standard may neglect important security issues.
"It's the first time anyone has looked at those specifications from a security point of view," said Giles Hogben, program manager for secure services at ENISA.
Some of the security issues can be fixed by tweaking the specifications, while others are risks that browser users should be warned about, Hogben said.
ENISA also recommended "sandboxed," or isolated, browser sessions to protect online financial transactions in one browser window from being hijacked by malware in another open browser window.
HTML5 is curated by the World Wide Web Consortium, which will consider the suggestions and revise the specifications by January.
Application designers and Web developers will use the HTML5 specifications for years to come. The HTML4 specifications, for example, have been in use since 1999.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.