Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092)

Re @arturjanc 

> From a security perspective, I'd strongly favor allowlisting attributes permitted in attr() in order to mitigate these risks.

There's a compatibility concern, since `attr()` on pseudo-element `content` is already widely used, and there's no restriction to which attributes are allowed at all. From a [github search result](https://github.com/search?l=&p=93&q=attr%28+language%3ACSS&ref=advsearch&type=Code), the choice of attribute used in `attr()` seems arbitrary.

How about disallowing `attr()` on certain elements? For example, no `attr()` on form control elements, `<script>`, `<style>`, `<link>`, etc.

-- 
GitHub Notification of comment by xiaochengh
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-631742447 using your GitHub account

Received on Wednesday, 20 May 2020 21:41:31 UTC