- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 6 Jan 2003 17:20:15 +0000 (GMT)
- To: Shelby Moore <shelby@coolpage.com>
- Cc: "www-style@w3.org" <www-style@w3.org>
On Mon, 6 Jan 2003, Shelby Moore wrote: >>> >>> From a security point of view, allowing links to active content in >>> styles is dangerous. Stylesheets are expected by many to be free >>> of active content, and are allowed in places such as >>> user-submitted content, HTML e-mail etc. >> >> This is a very valid concern, and is very much of interest to me. >> >> There are several possible solutions. >> >> One is to suggest to the XML team that a new attribute be >> introduced, xml:scripting or some such, which could indicate that >> everything from that element and deeper should be unable to execute >> associated script. > > Oh that is just great idea! > > Now XBL will require changes in every major W3C standard (DOM, CSS, XML). Actually I believe this problem exists regardless of XBL's position at the W3C. This is a long standing problem: <script>, link="script", Link: script, IE's 'behaviour', Mozilla's '-moz-binding', event handler attributes, data: URIs to script, javascript: URIs, script embedded in embedded HTML and SVG, IE's expression(), etc. There are dozens of ways of linking script, and currently there is no standard way of indicating that a section should be considered unsafe with no script executed. XBL merely brings this problem to the table. The proverbial last straw, as it were. -- Ian Hickson )\._.,--....,'``. fL "meow" /, _.. \ _\ ;`._ ,. http://index.hixie.ch/ `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 6 January 2003 12:20:17 UTC