(sorry -- i forgot to enclosed the emails.) please find them attached now. - p
attached mail follows:
unescaped html in "Valid CSS informations" is a potential security issue.
simple test case[1]:
body:before
{
content: "<script>alert('Hello World')</script>";
}
- p
(aside: i think "Valid CSS informations" should read "Valid CSS Statements"[2,3],
or simply just "Valid CSS".)
--
[1]
http://jigsaw.w3.org/css-validator/validator?text=body%3Abefore%0D%0A%7B%0D%0A++content%3A+%22%3Cscript%3Ealert%28%27Hello+World%27%29%3C%2Fscript%3E%22%3B%0D%0A%7D%0D%0A&warning=1&profile=css2&usermedium=all
[2] http://www.w3.org/TR/REC-CSS2/syndata.html#q5
[3] http://www.wsu.edu/~gordonl/ESL/answer1.htm
Paul Arzul wrote:
>
> a:before
> {
> content: "<b>bold</b>";
> }
>
> validates fine - but the validator generated html produced is:
>
> <b>bold</b>
>
> when it should[1] be:
>
> <b>bold</b>
>
> - p
>
> --
> 1. http://www.w3.org/TR/html4/charset.html#didx-character_entity_references
attached mail follows:
kevin c smith wrote on webdesign-l (http://webdesign-L.com/): > > One thing you'll need to fix is that floated elements must have a width > declared: > > <http://www.w3.org/TR/REC-CSS2/visuren.html#floats> elements with intrinsic width include: html, img, input, textarea, select, and object. so the following should NOT create a warning: img { float: right; } for non-replaced elements (i.e. elements with no intrinsic width), could we please issue a warning if no width is given? for example, the following paragraph rule set SHOULD create a missing width warning: p { float: right; } - pReceived on Monday, 24 March 2003 17:07:33 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 June 2012 00:14:11 GMT