On Mon, 27 Dec 2010 14:24:39 +0900, Robert O'Callahan <robert@ocallahan.org> wrote: > The sanitization algorithm needs to consider <style> elements and 'style' > content attributes. Some browsers, e.g. IE, support CSS features that > allow script execution. Good point. Would it be sufficient to say something like "If the implementation supports embedding javascript: URLs or other forms of scripting inside CSS instructions, such scripts must be removed." ? -- Hallvord R. M. Steen, Core Tester, Opera Software http://www.opera.com http://my.opera.com/hallvors/Received on Tuesday, 4 January 2011 04:35:54 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:15 UTC