- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 11 Mar 2013 23:25:58 +0000 (UTC)
- To: Mike Samuel <mikesamuel@gmail.com>
- cc: "public-script-coord@w3.org" <public-script-coord@w3.org>
On Mon, 11 Mar 2013, Mike Samuel wrote:
> 2013/3/11 Adam Barth <w3c@adambarth.com>:
> > On Mon, Mar 11, 2013 at 1:25 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> >> On Mon, Mar 11, 2013 at 1:12 PM, Adam Barth <w3c@adambarth.com>
> >> wrote: I believe that supporting attribute names, and perhaps
> >> tagnames, from inputs is also sufficiently useful and easy to secure.
> >
> > Those seem pretty dangerous. That lets the attacker choose things
> > like "onclick" and "script", which might lead to script execution.
>
> I've seen this requested to satisfy two usecases. <h{...}> can be used
> to create hierarchical structures from nested data
FWIW, HTML solves his now using <section> and <h1>.
> and <button onkey{...}> can be used to workaround platform
> idiosyncrasies that cause developers to want to catch keypress events on
> some browsers and keydown on others..
That seems like something we should fix by fixing the API, not by adding
another feature.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 March 2013 23:26:21 UTC