On Thu, Jun 16, 2011 at 7:56 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 16 June 2011 15:46, Eduardo Vela <sirdarckcat@gmail.com> wrote: >> >> Its by design. >> >> This also works with inline-scripts enabled: >> >> document.write("<script>alert(1)</script>") > > That's slightly different though, you're writing HTML but in my previous > example it's clearly executing a string as JS but I take your point I'm not sure I follow. You're saying that inline event handlers should be gated by unsafe-eval instead of unsafe-inline when they're added via the DOM but the reverse when they're added via the parser? AdamReceived on Thursday, 16 June 2011 17:53:23 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 16 June 2011 17:53:24 GMT