W3C home > Mailing lists > Public > www-style@w3.org > August 2002

RE: Why is the style tag restricted to the head?

From: Peter Foti (PeterF) <PeterF@SystolicNetworks.com>
Date: Fri, 9 Aug 2002 13:03:05 -0400
Message-ID: <A10A983C9DFBD4119F0300104B2EA6B70F9CFF@ZIPPY>
To: "'www-style@w3.org'" <www-style@w3.org>

> Peter Foti (PeterF) <PeterF@SystolicNetworks.com>:
> 
> > 2.  What would happen then for sites that allow users to 
> enter data to be
> > displayed, like on a message board?  Suppose a user posts 
> some style that
> > adversely affects the layout of the rest of the page?  For example:
> >
> > <div>
> >    <style type="text/css">
> >    div
> >    {
> >       position : absolute;
> >       width : 100%;
> >       height : 100%;
> >       background-color : Black;
> >       top : 0px;
> >       left : 0px;
> >    }
> >    </style>
> >
> >    <div>Ha Ha!  I am blocking your entire page!</div>
> > </div>
> >
> > This essentially opens up a very large security whole, in 
> that you can cover
> > the entire contents of a web page.  This in itself is a 
> good enough reason
> > to NOT allow <style> elements within the body of a document.
> 
> You can do that right now on any web-based message board that 
> allows for HTML in
> posts.  I did something like that as a joke once.  <div 
> style="position :
> absolute;width : 100%;height : 100%;background-color : 
> Black;top : 0px;left :
> 0px;">text</div>.  


Isn't this then a good enough reason to also get rid of the style attribute?
:)

-Peter
Received on Friday, 9 August 2002 12:57:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:15 GMT