- From: Oriol Brufau via GitHub <sysbot+gh@w3.org>
- Date: Wed, 12 Oct 2022 01:50:18 +0000
- To: public-css-archive@w3.org
Not attackers with physical access that can use the console. I mean attackers that use XSS or something to insert malicious third-party CSS into a legitimate website. And sure, if the attacker can inject JS then it will be trivial, but typically there are more protections against JS injection than against CSS injection. Just mentioning this since some concerts were already raised about `attr()`, which doesn't have access to the current value, `value()` is more dangerous. -- GitHub Notification of comment by Loirooriol Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/7869#issuecomment-1275480668 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 12 October 2022 01:50:20 UTC