- From: Robert O'Callahan <robert@ocallahan.org>
- Date: Tue, 4 Jan 2011 18:51:56 +1300
- To: "Hallvord R. M. Steen" <hallvord@opera.com>
- Cc: public-webapps@w3.org
- Message-ID: <AANLkTinq4dga43zz2-E4d=MbMi_ss2-cV250pJmTqiHb@mail.gmail.com>
On Tue, Jan 4, 2011 at 5:35 PM, Hallvord R. M. Steen <hallvord@opera.com>wrote: > On Mon, 27 Dec 2010 14:24:39 +0900, Robert O'Callahan < > robert@ocallahan.org> wrote: > > The sanitization algorithm needs to consider <style> elements and 'style' >> content attributes. Some browsers, e.g. IE, support CSS features that >> allow script execution. >> > > Good point. Would it be sufficient to say something like > > "If the implementation supports embedding javascript: URLs or other forms > of scripting inside CSS instructions, such scripts must be removed." ? Probably not. One problem is that if some implementation supports CSS-triggered scripts via some CSS extension, then ideally other implementations would ensure that those extensions are stripped. E.g. Opera doesn't support IE's expression() CSS extension, but if an Opera user pastes untrusted HTML into a Web site, IE users may become vulnerable. Maybe your spec should just mention that something needs to be done here and move on. This is a rather tough issue and it wouldn't be fair to make you responsible for solving it :-). Rob -- "Now the Bereans were of more noble character than the Thessalonians, for they received the message with great eagerness and examined the Scriptures every day to see if what Paul said was true." [Acts 17:11]
Received on Tuesday, 4 January 2011 05:52:25 UTC