- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 16 Jan 2010 18:44:41 +0100
- To: public-html@w3.org
Smylers wrote: > Julian Reschke writes: > >> Ian Hickson wrote: >> >>> <iframe seamless sandbox="allow-scripts allow-forms" doc=" >>> Read my blog! >>> <a href='#' onclick='alert(document.cookie)'> Click here</a> >>> "> </iframe> >> I thought markup in attributes was a super-anti-pattern. >> >> How about adding one level of indirection? >> >> <iframe seamless sandbox="allow-scripts allow-forms" >> doc="#x"> </iframe> >> >> ... >> >> <span id=x> <a href='#' onclick='alert(document.cookie)'> Click >> here</a> </span> > > Wouldn't that have the security problem that a browser which doesn't > know about sandbox will just have that content as a normal part of the > page, unsandboxed? Indeed. I misunderstood the use case. > (Whereas using the attribute, a non-sandbox-supporting browser will > simply ignore the attribute. The content won't render; which obviously > isn't ideal, but it's preferably to being insecure.) Putting markup into attributes is very ugly, so it appears to be sub-optimal to add a way to do so. Isn't a URI in the "data" scheme sufficient for this use case? Best regards, Julian
Received on Saturday, 16 January 2010 17:45:22 UTC