- From: Philippe Le Hegaret <plh@w3.org>
- Date: 24 Mar 2003 17:27:10 -0500
- To: Paul Arzul <patricka@mkdoc.com>
- Cc: www-validator-css@w3.org
On Wed, 2003-03-12 at 07:29, Paul Arzul wrote:
> unescaped html in "Valid CSS informations" is a potential security issue.
>
> simple test case[1]:
>
> body:before
> {
> content: "<script>alert('Hello World')</script>";
> }
This bug has been added in the bugzilla database:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=145
> Paul Arzul wrote:
> >
> > a:before
> > {
> > content: "<b>bold</b>";
> > }
> >
> > validates fine - but the validator generated html produced is:
> >
> > <b>bold</b>
> >
> > when it should[1] be:
> >
> > <b>bold</b>
I believe this is the same bug.
Philippe
Received on Monday, 24 March 2003 17:27:16 UTC