On Mon, 6 Jan 2003, Shelby Moore wrote: >>> >>> From a security point of view, allowing links to active content in >>> styles is dangerous. Stylesheets are expected by many to be free >>> of active content, and are allowed in places such as >>> user-submitted content, HTML e-mail etc. >> >> This is a very valid concern, and is very much of interest to me. >> >> There are several possible solutions. >> >> One is to suggest to the XML team that a new attribute be >> introduced, xml:scripting or some such, which could indicate that >> everything from that element and deeper should be unable to execute >> associated script. > > Oh that is just great idea! > > Now XBL will require changes in every major W3C standard (DOM, CSS, XML). Actually I believe this problem exists regardless of XBL's position at the W3C. This is a long standing problem: <script>, link="script", Link: script, IE's 'behaviour', Mozilla's '-moz-binding', event handler attributes, data: URIs to script, javascript: URIs, script embedded in embedded HTML and SVG, IE's expression(), etc. There are dozens of ways of linking script, and currently there is no standard way of indicating that a section should be considered unsafe with no script executed. XBL merely brings this problem to the table. The proverbial last straw, as it were. -- Ian Hickson )\._.,--....,'``. fL "meow" /, _.. \ _\ ;`._ ,. http://index.hixie.ch/ `._.-(,_..'--(,_..'`-.;.'Received on Monday, 6 January 2003 12:20:17 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:19 GMT