W3C home > Mailing lists > Public > www-archive@w3.org > September 2010

Re: @sandboxsrc proposal

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 08 Sep 2010 13:26:18 +0200
Message-ID: <4C8772DA.3050705@gmx.de>
To: Kornel Lesiński <kornel@geekhood.net>
CC: "Tab Atkins Jr." <jackalmage@gmail.com>, www-archive@w3.org
On 08.09.2010 12:14, Kornel Lesiński wrote:
> ...
> data: URI theoretically requires percent-escaping, but I don't see how failure to do so could cause security vulnerability in "data:text/html," content.
> ...

data *URI* requires percent escaping, but HTML5 uses IRIs (so you don't 
need to escape non-ASCII), and also has requirements to handle certain 
non-URI characters (so the attribute value would be invalid, but still 
work predictably).

Best regards, Julian
Received on Wednesday, 8 September 2010 11:26:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:33:53 UTC