W3C home > Mailing lists > Public > www-style@w3.org > December 2007

[css21] grammar issue ("url(", security)

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 25 Dec 2007 21:02:52 +0100
To: www-style@w3.org
Message-ID: <op.t3wpy20q64w2qv@annevk-t60.oslo.opera.com>

Hi,

In http://www.w3.org/TR/CSS21/grammar.html#scanner the productions  
starting with "url(" need to be changed to start with {u}{r}{l}"(" instead  
for more consistency with the rest of the CSS language. (IE7 and Firefox  
already "break" with the specification here.)

I think personally I'd be very much in favor of introducing LITERAL_IDENT  
or something in that direction that does not allow escapes and that we use  
that instead of allowing escapes all over the language. This should also  
make the language more secure in the sense that people are currently  
probably only comparing property strings on an (ASCII) case-insensitive  
basis and don't care at all about escapes, etc. On the other hand, most of  
those filters are probably whitelist based, which would not expose them to  
this, but it still feels sort of icky.

Kind regards,


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Tuesday, 25 December 2007 20:00:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:57 GMT