Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Mats Palmgren via GitHub on 2020-05-20 (public-css-archive@w3.org from May 2020)

From: Mats Palmgren via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 May 2020 10:22:30 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-631386624-1589970150-sysbot+gh@w3.org>

> Currently, `attr()` works only in the `content` property which is limited to `::before` and `::after` pseudoelements.

It's not limited to `::before/::after`. The [spec](https://drafts.csswg.org/css-content-3/#content-property) for the `content` property says:
> Applies to: all elements, tree-abiding pseudo-elements, and page margin boxes

It's not implemented for (non-pseudo) elements yet in any UAs as far as I know, but at least Gecko supports it on `::marker` (and we intend to support it on all elements at some point).

I don't think that changes the security aspects though, since it would still be considered _generated content_; same as for pseudos.

-- 
GitHub Notification of comment by MatsPalmgren
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-631386624 using your GitHub account

Received on Wednesday, 20 May 2020 10:22:32 UTC