W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > August 2010

[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope

From: <bugzilla@jessica.w3.org>
Date: Wed, 04 Aug 2010 21:01:20 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Ogl5U-0007Ts-80@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602


Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Simetrical+w3cbug@gmail.com




--- Comment #9 from Aryeh Gregor <Simetrical+w3cbug@gmail.com>  2010-08-04 21:01:18 ---
Is anyone seriously going to go out of their way to attack the tiny percentage
of users who have script disabled?  Normal attackers will just use script,
something as convoluted as this is not worth the effort to them -- simple XSS
would be much easier to write and much more effective.  If some users don't
want autofocus, they can turn off autofocus as well as script (if their browser
permits).

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 4 August 2010 21:01:22 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:21 UTC