- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Mon, 02 Jun 2014 16:49:04 -0400
- To: Giorgio Maone <g.maone@informaction.com>, public-webapps@w3.org
On 6/2/14, 4:21 PM, Giorgio Maone wrote: > I do hope any filter already blocked out <link> elements, as CSS has > been a XSS vector for a long time <link> elements without "stylesheet" in rel don't load CSS, though. Hence the worries about blacklist vs whitelist... -Boris
Received on Monday, 2 June 2014 20:49:34 UTC