[whatwg] External document subset support

2009/6/19 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> You can easily include a cross-domain script using a cross-domain DTD; just
> attach the malware as
> <!ATTLIST body onload CDATA ?{ sniper.shoot(); }? >
> and hope for the worst.
> Chris

You need to own the external subset, though, in order to add that
<!ATTLIST>. It is like saying that shared JS libraries are dangerous
because you import code from other sources.


Received on Friday, 19 June 2009 04:40:07 UTC