Re: img issue: should we restrict the URI

David Dailey wrote:
> While I am not sure what problems we would have by 
> having scripts running inside <img> that we would not already have with 
> scripts running inside <object> or <iframe>

The problem is simple:  Authors expect script to run in <object>/<iframe> and 
take precautions.  They don't expect it in <img> and don't take precautions.  As 
a result, suddenly allowing script in <img> would make sites exploitable.


Received on Tuesday, 29 January 2008 15:42:20 UTC