[csswg-drafts] [css-forms-1] control-value() security and handling (#11860) from Tab Atkins Jr. via GitHub on 2025-03-06 (public-css-archive@w3.org from March 2025)

From: Tab Atkins Jr. via GitHub <sysbot+gh@w3.org>
Date: Thu, 06 Mar 2025 22:47:08 +0000
To: public-css-archive@w3.org
Message-ID: <issues.opened-2901591368-1741301226-sysbot+gh@w3.org>

tabatkins has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-forms-1] control-value() security and handling ==
`control-value()` is morally equivalent to `attr()`, just with some special handling of the values since we know something about types. So, it should work identically to `attr()`:

* it's an "arbitrary substitution function"
* it has the same tainting behavior as attr() (and so can't be used in a URL)

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/11860 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 6 March 2025 22:47:09 UTC