W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2010

[whatwg] Javascript: URLs as element attributes

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Thu, 02 Dec 2010 17:58:06 -0500
Message-ID: <4CF8247E.80304@mit.edu>
On 12/2/10 4:26 PM, Daniel Veditz wrote:
> On 12/1/10 10:25 AM, timeless wrote:
>> Pnglets date to around 1999 according to a quick read of http://elf.org/pnglets/
>
> Pnglets haven't worked in Mozilla for a long time,<img src=>  is
> sandboxed.

It's not just sandboxed; it also  doesn't execute.  There's a bug on 
this, where brendan keeps claiming we should execute it unsandboxed and 
I keep claiming that would be XSS-city and that if we run it, it needs 
to be sandboxed.  ;)

-Boris
Received on Thursday, 2 December 2010 14:58:06 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:02 UTC