Re: clipboard events

On Mon, 27 Dec 2010 14:24:39 +0900, Robert O'Callahan  
<robert@ocallahan.org> wrote:

> The sanitization algorithm needs to consider <style> elements and 'style'
> content attributes. Some browsers, e.g. IE, support CSS features that  
> allow script execution.

Good point. Would it be sufficient to say something like

"If the implementation supports embedding javascript: URLs or other forms  
of scripting inside CSS instructions, such scripts must be removed." ?

-- 
Hallvord R. M. Steen, Core Tester, Opera Software
http://www.opera.com http://my.opera.com/hallvors/

Received on Tuesday, 4 January 2011 04:35:54 UTC