- From: <bugzilla@wiggum.w3.org>
- Date: Tue, 29 Sep 2009 10:19:13 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=7626 --- Comment #5 from Hallvord R. M. Steen <hallvord@opera.com> 2009-09-29 10:19:11 --- thanks for answering the questions before I ask them :-) Opera thinks it's a bug and intends to fix it. The reason is that we have received reports that not doing so can open up XSS holes if user input is parsed with a DOMParser and sanitised by walking the DOM and removing attributes and tags that are not whitelisted. I can not give you the source of this information because the vulnerability may still be live on some sites, but we think mirroring the listeners and the attributes as closely as legacy content will allow would be the most expected behaviour from an author point of view. I also believe that this is a relatively obscure corner case which is unlikely to cause compat problems (particularly since browsers already disagree). -- Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug.
Received on Tuesday, 29 September 2009 10:19:21 UTC