W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: html template string handler WAS: E4H and constructing DOMs

From: Mike Samuel <mikesamuel@gmail.com>
Date: Mon, 11 Mar 2013 19:18:39 -0400
Message-ID: <CACod6GvuSHheU2pNvy=MQkAGcPbfq_f_A=xcEQrmv96X8LYO5w@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, Ojan Vafai <ojan@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>
2013/3/11 Adam Barth <w3c@adambarth.com>:
> On Mon, Mar 11, 2013 at 1:25 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Mon, Mar 11, 2013 at 1:12 PM, Adam Barth <w3c@adambarth.com> wrote:
>> I believe that supporting attribute names, and perhaps tagnames, from
>> inputs is also sufficiently useful and easy to secure.
>
> Those seem pretty dangerous.  That lets the attacker choose things
> like "onclick" and "script", which might lead to script execution.

I've seen this requested to satisfy two usecases.  <h{...}> can be
used to create hierarchical structures from nested data, and <button
onkey{...}> can be used to workaround platform idiosyncrasies that
cause developers to want to catch keypress events on some browsers and
keydown on others..
Received on Monday, 11 March 2013 23:19:07 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC