- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Wed, 08 Sep 2010 13:26:18 +0200
- To: Kornel Lesiński <kornel@geekhood.net>
- CC: "Tab Atkins Jr." <jackalmage@gmail.com>, www-archive@w3.org
On 08.09.2010 12:14, Kornel Lesiński wrote: > ... > data: URI theoretically requires percent-escaping, but I don't see how failure to do so could cause security vulnerability in "data:text/html," content. > ... data *URI* requires percent escaping, but HTML5 uses IRIs (so you don't need to escape non-ASCII), and also has requirements to handle certain non-URI characters (so the attribute value would be invalid, but still work predictably). Best regards, Julian
Received on Wednesday, 8 September 2010 11:26:57 UTC