Re: [csswg-drafts] [css-syntax] Consider disallowing NULL code points in stylesheets from Simon Sapin via GitHub on 2018-07-10 (public-css-archive@w3.org from July 2018)

From: Simon Sapin via GitHub <sysbot+gh@w3.org>
Date: Tue, 10 Jul 2018 05:27:50 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-403704664-1531200470-sysbot+gh@w3.org>

To be clear my mentioning control characters was an attempt to show how arbitrary an heuristic it is to look for U+0000 *or* some other set of code points, not an actual proposal.

I think that the CSS tokenizer is the wrong layer to fix this. If the concern is for example with `file:///C:/Users/me/Downloads/evil.html` requesting `file:///C:/Users/Me/AppData/GoogleChrome/passwords.sqlite`, wouldn’t a heuristic based on URLs be better? For example going "up" a directory, or going through a directory that the OS considers hidden.

-- 
GitHub Notification of comment by SimonSapin
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/2757#issuecomment-403704664 using your GitHub account

Received on Tuesday, 10 July 2018 05:28:21 UTC