W3C home > Mailing lists > Public > www-style@w3.org > January 2008

Re: [css21] grammar issue ("url(", security)

From: fantasai <fantasai.lists@inkedblade.net>
Date: Wed, 02 Jan 2008 13:32:18 -0500
Message-ID: <477BD8B2.8040901@inkedblade.net>
To: www-style@w3.org

Anne van Kesteren wrote:
> Hi,
> In http://www.w3.org/TR/CSS21/grammar.html#scanner the productions 
> starting with "url(" need to be changed to start with {u}{r}{l}"(" 
> instead for more consistency with the rest of the CSS language. (IE7 and 
> Firefox already "break" with the specification here.)

Added as CSS2.1 issue 23:

> I think personally I'd be very much in favor of introducing 
> LITERAL_IDENT or something in that direction that does not allow escapes 
> and that we use that instead of allowing escapes all over the language. 
> This should also make the language more secure in the sense that people 
> are currently probably only comparing property strings on an (ASCII) 
> case-insensitive basis and don't care at all about escapes, etc. On the 
> other hand, most of those filters are probably whitelist based, which 
> would not expose them to this, but it still feels sort of icky.

I'll list this if Mozilla, Microsoft, or Apple also want to see it listed,
but not otherwise. It would be a pretty significant change.

Received on Wednesday, 2 January 2008 18:32:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:32 UTC