W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2009

[whatwg] External document subset support

From: Giovanni Campagna <scampa.giovanni@gmail.com>
Date: Fri, 19 Jun 2009 13:40:07 +0200
Message-ID: <65307430906190440qacbdbd8o2c1afcd92810249e@mail.gmail.com>
2009/6/19 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> You can easily include a cross-domain script using a cross-domain DTD; just
> attach the malware as
>
> <!ATTLIST body onload CDATA ?{ sniper.shoot(); }? >
>
> and hope for the worst.
>
> Chris

You need to own the external subset, though, in order to add that
<!ATTLIST>. It is like saying that shared JS libraries are dangerous
because you import code from other sources.

Giovanni
Received on Friday, 19 June 2009 04:40:07 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:13 UTC