W3C home > Mailing lists > Public > public-css-archive@w3.org > November 2019

Re: [csswg-drafts] [css-values-4] Switch advanced attr() to being var()-like (#4482)

From: Emilio Cobos Álvarez via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Nov 2019 12:54:26 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-549810786-1572958465-sysbot+gh@w3.org>
Yeah, I agree with the above regarding the simplicity, not so sure about the `attr`-in-`attr` thing, that means you need to do cycle detection on that too, and that's one of the most expensive parts of `var()`.

For what is worth, the other potentially annoying thing from a browser developer perspective is the opportunity for XSS. We right now sanitize away "unsafe" attributes / elements like `xlink:href` in `<use>` elements or what not. `attr()` opens the door to make any attribute potentially an image load, and thus which attributes should you sanitize becomes either "all of them", or starts depending on the CSS rules that apply on the page, or what not. I wonder if @hsivonen or @freddyb have thoughts about this kind of thing. Though IIRC the only thing we used to sanitize from `style` attributes and stylesheets is `-moz-binding`, so maybe image loads and such are not a problem at all and I'm just being paranoid.

GitHub Notification of comment by emilio
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4482#issuecomment-549810786 using your GitHub account
Received on Tuesday, 5 November 2019 12:54:28 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:56 UTC