Re: HTML imports: new XSS hole?

On 02/06/2014 15:01, Boris Zbarsky wrote:
> On 6/2/14, 8:54 AM, James M Snell wrote:
>> So long as they're handled with the same policy and restrictions as the
>> script tag, it shouldn't be any worse.
>
> It's worse for sites that have some sort of filtering on user-provided
> content but don't catch this case right now, no?
>
> -Boris
>

I do hope any filter already blocked out <link> elements, as CSS has
been a XSS vector for a long time, courtesy of MSIE expressions and XBL
bindings.
-- G

Received on Monday, 2 June 2014 20:22:09 UTC