W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2014

Re: HTML imports: new XSS hole?

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Mon, 02 Jun 2014 16:49:04 -0400
Message-ID: <538CE340.5040305@mit.edu>
To: Giorgio Maone <g.maone@informaction.com>, public-webapps@w3.org
On 6/2/14, 4:21 PM, Giorgio Maone wrote:
> I do hope any filter already blocked out <link> elements, as CSS has
> been a XSS vector for a long time

<link> elements without "stylesheet" in rel don't load CSS, though.

Hence the worries about blacklist vs whitelist...

-Boris
Received on Monday, 2 June 2014 20:49:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:14:24 UTC