- From: Hallvord R. M. Steen <hallvord@opera.com>
- Date: Tue, 04 Jan 2011 13:35:38 +0900
- To: "Robert O'Callahan" <robert@ocallahan.org>
- Cc: public-webapps@w3.org
On Mon, 27 Dec 2010 14:24:39 +0900, Robert O'Callahan <robert@ocallahan.org> wrote: > The sanitization algorithm needs to consider <style> elements and 'style' > content attributes. Some browsers, e.g. IE, support CSS features that > allow script execution. Good point. Would it be sufficient to say something like "If the implementation supports embedding javascript: URLs or other forms of scripting inside CSS instructions, such scripts must be removed." ? -- Hallvord R. M. Steen, Core Tester, Opera Software http://www.opera.com http://my.opera.com/hallvors/
Received on Tuesday, 4 January 2011 04:35:54 UTC