- From: Mike Samuel <mikesamuel@gmail.com>
- Date: Mon, 11 Mar 2013 19:18:39 -0400
- To: Adam Barth <w3c@adambarth.com>
- Cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, Ojan Vafai <ojan@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>
2013/3/11 Adam Barth <w3c@adambarth.com>:
> On Mon, Mar 11, 2013 at 1:25 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
>> On Mon, Mar 11, 2013 at 1:12 PM, Adam Barth <w3c@adambarth.com> wrote:
>> I believe that supporting attribute names, and perhaps tagnames, from
>> inputs is also sufficiently useful and easy to secure.
>
> Those seem pretty dangerous. That lets the attacker choose things
> like "onclick" and "script", which might lead to script execution.
I've seen this requested to satisfy two usecases. <h{...}> can be
used to create hierarchical structures from nested data, and <button
onkey{...}> can be used to workaround platform idiosyncrasies that
cause developers to want to catch keypress events on some browsers and
keydown on others..
Received on Monday, 11 March 2013 23:19:07 UTC