- From: Mike West <notifications@github.com>
- Date: Mon, 28 Aug 2017 08:13:54 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 28 August 2017 15:14:19 UTC
With the overarching caveat that you ought to ensure that you're properly escaping variables before dumping them into HTML: * Assuming that `_relogios` is just plain text, then `<h3><?php echo _relogios ?></h3>` won't cause a request, so nothing will be blocked. * Assuming that `_fabrica` is just plain text, then `<img alt="<?php echo _fabrica ?>" src="images/fabrica.jpg">` does not populate the `src` field, and doesn't change the resource that's being loaded. * Navigation caused by `<a class="navbar-brand" href="index.php?hl=<?php echo $html_language ?>#page-top">` would potentially be blocked if `$html_language` contained a removable whitespace character (`\n`, `\r`, `\t`) _and_ an opening brace (`<`). @annevk: The first pass at this is shipping through Chrome beta right now, and Firefox folks have expressed pretty clear interest (https://bugzilla.mozilla.org/show_bug.cgi?id=1369029). When my life is somewhat less chaotic, I'd like to get back to hammering out a way to get this well-defined without upsetting Apple. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/519#issuecomment-325382397
Received on Monday, 28 August 2017 15:14:19 UTC