- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 02 Jun 2014 09:08:56 -0400
- To: public-webapps@w3.org
On 6/2/14, 9:02 AM, James M Snell wrote: > I suppose that If you > needed the ability to sandbox them further, just wrap them inside a > sandboxed iframe. The worry here is sites that currently have html filters for user-provided content that don't know about <link> being able to run scripts. Clearly once a site knows about this they can adopt various mitigation strategies. The question is whether we're creating XSS vulnerabilities in sites that are currently not vulnerable by adding this functionality. -Boris P.S. A correctly written whitelist filter will filter these things out. Are we confident this is standard practice now?
Received on Monday, 2 June 2014 13:09:24 UTC