W3C home > Mailing lists > Public > public-css-archive@w3.org > July 2018

Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets

From: Simon Sapin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Jul 2018 05:27:50 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-403704664-1531200470-sysbot+gh@w3.org>
To be clear my mentioning control characters was an attempt to show how arbitrary an heuristic it is to look for U+0000 *or* some other set of code points, not an actual proposal.

I think that the CSS tokenizer is the wrong layer to fix this. If the concern is for example with `file:///C:/Users/me/Downloads/evil.html` requesting `file:///C:/Users/Me/AppData/GoogleChrome/passwords.sqlite`, wouldn’t a heuristic based on URLs be better? For example going "up" a directory, or going through a directory that the OS considers hidden.

-- 
GitHub Notification of comment by SimonSapin
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-403704664 using your GitHub account
Received on Tuesday, 10 July 2018 05:28:21 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 19 October 2021 01:30:53 UTC