W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2009

[Bug 7626] Spec says: "Note: Removing an event handler content attribute does not reset the corresponding event handler attribute.". In fact browsers will remove or "deactivate" the listener when you remove the HTML attribute. Some browsers reset it to null or undef

From: <bugzilla@wiggum.w3.org>
Date: Tue, 29 Sep 2009 10:19:13 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1MsZnd-0007ZC-G7@wiggum.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=7626





--- Comment #5 from Hallvord R. M. Steen <hallvord@opera.com>  2009-09-29 10:19:11 ---
thanks for answering the questions before I ask them :-)

Opera thinks it's a bug and intends to fix it. The reason is that we have
received reports that not doing so can open up XSS holes if user input is
parsed with a DOMParser and sanitised by walking the DOM and removing
attributes and tags that are not whitelisted. I can not give you the source of
this information because the vulnerability may still be live on some sites, but
we think mirroring the listeners and the attributes as closely as legacy
content will allow would be the most expected behaviour from an author point of
view. I also believe that this is a relatively obscure corner case which is
unlikely to cause compat problems (particularly since browsers already
disagree).


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Tuesday, 29 September 2009 10:19:21 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:01 UTC