Re: [csswg-drafts] [css-values] Security concerns regarding attr() (#5092) from Guillaume via GitHub on 2024-04-16 (public-css-archive@w3.org from April 2024)

From: Guillaume via GitHub <sysbot+gh@w3.org>
Date: Tue, 16 Apr 2024 07:51:01 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-2058459110-1713253859-sysbot+gh@w3.org>

An URL can be specified as a `<string>` in some productions. If I did not miss any, in [`filter()`](https://drafts.fxtf.org/filter-effects-1/#funcdef-filter) and [`image()`](https://drafts.csswg.org/css-images-4/#funcdef-image).

You might want to clarify it:

```diff
- attr() is not allowed to be used in any <url> value,
+ attr() is not allowed to be used as a <string> representing an URL value,
```

`attr(foo)` can only represent an URL in `filter: filter(attr(foo), opacity(1))`. But it can represent a color in `background-image: image(attr(foo))`: should it be invalid at computed value time in this case?

-- 
GitHub Notification of comment by cdoublev
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/5092#issuecomment-2058459110 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 16 April 2024 07:51:02 UTC