Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Xiaocheng Hu via GitHub on 2020-05-20 (public-css-archive@w3.org from May 2020)

From: Xiaocheng Hu via GitHub <sysbot+gh@w3.org>
Date: Wed, 20 May 2020 21:41:29 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-631742447-1590010888-sysbot+gh@w3.org>

Re @arturjanc 

> From a security perspective, I'd strongly favor allowlisting attributes permitted in attr() in order to mitigate these risks.

There's a compatibility concern, since `attr()` on pseudo-element `content` is already widely used, and there's no restriction to which attributes are allowed at all. From a [github search result](https://github.com/search?l=&p=93&q=attr%28+language%3ACSS&ref=advsearch&type=Code), the choice of attribute used in `attr()` seems arbitrary.

How about disallowing `attr()` on certain elements? For example, no `attr()` on form control elements, `<script>`, `<style>`, `<link>`, etc.

-- 
GitHub Notification of comment by xiaochengh
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-631742447 using your GitHub account

Received on Wednesday, 20 May 2020 21:41:31 UTC