Re: CSP XML Data with tokens

On 28 January 2011 16:56, <> wrote:

> Hi!
> The attribute "seamless" will do:
> 1. If you have b{color:blue} in the doc
> 2. You have:
> <iframe sandbox="allow-same-origin" seamless="seamless"
> srcdoc="<b>xD</b>"></iframe>
> 3. You get, a blue bold "xD".

So it puts HTML content inside an attribute! How would it handle entities? I
mean if an attribute is rendering as HTML then does &#39; become '? Who
thought putting HTML in attributes was a good idea? Does that mean stuff
like <a href=javascript&amp;#58;alert(1)>test</a> I like the idea of
externally included sandboxed HTML but not inline.

Received on Friday, 28 January 2011 17:16:44 UTC