W3C home > Mailing lists > Public > www-style@w3.org > April 2007

Re: [becss] security notice

From: Andrew Fedoniouk <news@terrainformatica.com>
Date: Wed, 4 Apr 2007 13:00:53 -0700
Message-ID: <001f01c776f3$f3837e40$db02000a@internal.toppro.net>
To: "fantasai" <fantasai.lists@inkedblade.net>, <www-style@w3.org>

----- Original Message ----- 
From: "fantasai" <fantasai.lists@inkedblade.net>
To: <www-style@w3.org>
Sent: Wednesday, April 04, 2007 1:22 PM
Subject: [becss] security notice

| The BeCSS draft should note somewhere that the 'binding'
| property can introduce scripting and, unlike other CSS
| properties, may need to be stripped out of user-submitted
| content on sites like LiveJournal and weblogs.
| ~fantasai

In principle
'binding', 'behavio[u]r' and the like attributes 
shall not have url/url/iri values - just id's.

In any case binding is technology dependent - not all resources
can be presented as URL's now.

As an example, css:

li.myclass { binding: MyButton; }

and in script (global namespace):

var MyButton = 
   onmousedown: function() {...}
   onmouseup: function() {...}

here binding point defines one 'class' from many in some script file.
The same can be applied to XBL and other similar technologies.

And more: ideally CSS should also allow import of 
scripts and other resources:

@media screen 
    @import-resource application/javascript "./my-componentes.js"

This way single CSS file may be used for styling presentation and behavior
allowing HTML be used for semantic purposes only.

Andrew Fedoniouk.

Received on Wednesday, 4 April 2007 19:59:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:28 UTC