Re: HTML imports: new XSS hole?

On 6/2/14, 4:21 PM, Giorgio Maone wrote:
> I do hope any filter already blocked out <link> elements, as CSS has
> been a XSS vector for a long time

<link> elements without "stylesheet" in rel don't load CSS, though.

Hence the worries about blacklist vs whitelist...

-Boris

Received on Monday, 2 June 2014 20:49:34 UTC