- From: <sird@rckc.at>
- Date: Mon, 31 Jan 2011 11:07:43 -0600
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Michal Zalewski <lcamtuf@coredump.cx>, Giorgio Maone <g.maone@informaction.com>, Adam Barth <w3c@adambarth.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Brandon Sterne <bsterne@mozilla.com>, "public-web-security@w3.org" <public-web-security@w3.org>
Hey! Yeah, that was one of the suggestions.. But people considered it unsafe, because you could just close the </iframe>. To make it harder to make this type of mistakes.. they made it inside an attribute. Greetz -- Eduardo On Mon, Jan 31, 2011 at 2:19 AM, gaz Heyes <gazheyes@gmail.com> wrote: > Ok well so the daft thing with seamless iframes in HTML attributes, why not > use the node value? Since this isn't rendered on older browsers and you > don't need to use entities to render HTML. > > <iframe> > <![CDATA[182kDJsw82 > > > 182kDJsw82]]> > </iframe> > > Then it works in XML too, you'd just have to watch out for closing cdata and > iframe >
Received on Monday, 31 January 2011 17:08:41 UTC