- From: Giorgio Maone <g.maone@informaction.com>
- Date: Mon, 02 Jun 2014 22:21:43 +0200
- To: Boris Zbarsky <bzbarsky@MIT.EDU>, public-webapps@w3.org
On 02/06/2014 15:01, Boris Zbarsky wrote: > On 6/2/14, 8:54 AM, James M Snell wrote: >> So long as they're handled with the same policy and restrictions as the >> script tag, it shouldn't be any worse. > > It's worse for sites that have some sort of filtering on user-provided > content but don't catch this case right now, no? > > -Boris > I do hope any filter already blocked out <link> elements, as CSS has been a XSS vector for a long time, courtesy of MSIE expressions and XBL bindings. -- G
Received on Monday, 2 June 2014 20:22:09 UTC