W3C home > Mailing lists > Public > whatwg@whatwg.org > July 2008

[whatwg] The <iframe> element and sandboxing ideas

From: Edward Z. Yang <edwardzyang@thewritingpot.com>
Date: Wed, 23 Jul 2008 19:29:54 -0600
Message-ID: <4887DB12.2060006@thewritingpot.com>
Frode B?rli wrote:
> <td colspan='javascript(a + 5)'></td>
> Where a javascript returns the value in the colspan attribute. Many
> server side HTML sanitizers would have to be updated - unless we
> introduce a proper sandbox.

Or the HTML sanitizer could have done things properly and checked if
colspan was a numeric value. :-)

Disclaimer: I am one of those authors of server side HTML sanitizers you
speak of.
Received on Wednesday, 23 July 2008 18:29:54 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:03 UTC