[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope


Aryeh Gregor <Simetrical+w3cbug@gmail.com> changed:

           What    |Removed                     |Added
                 CC|                            |Simetrical+w3cbug@gmail.com

--- Comment #9 from Aryeh Gregor <Simetrical+w3cbug@gmail.com>  2010-08-04 21:01:18 ---
Is anyone seriously going to go out of their way to attack the tiny percentage
of users who have script disabled?  Normal attackers will just use script,
something as convoluted as this is not worth the effort to them -- simple XSS
would be much easier to write and much more effective.  If some users don't
want autofocus, they can turn off autofocus as well as script (if their browser

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 4 August 2010 21:01:22 UTC