- From: Peter Foti (PeterF) <PeterF@SystolicNetworks.com>
- Date: Fri, 9 Aug 2002 13:03:05 -0400
- To: "'www-style@w3.org'" <www-style@w3.org>
> Peter Foti (PeterF) <PeterF@SystolicNetworks.com>:
>
> > 2. What would happen then for sites that allow users to
> enter data to be
> > displayed, like on a message board? Suppose a user posts
> some style that
> > adversely affects the layout of the rest of the page? For example:
> >
> > <div>
> > <style type="text/css">
> > div
> > {
> > position : absolute;
> > width : 100%;
> > height : 100%;
> > background-color : Black;
> > top : 0px;
> > left : 0px;
> > }
> > </style>
> >
> > <div>Ha Ha! I am blocking your entire page!</div>
> > </div>
> >
> > This essentially opens up a very large security whole, in
> that you can cover
> > the entire contents of a web page. This in itself is a
> good enough reason
> > to NOT allow <style> elements within the body of a document.
>
> You can do that right now on any web-based message board that
> allows for HTML in
> posts. I did something like that as a joke once. <div
> style="position :
> absolute;width : 100%;height : 100%;background-color :
> Black;top : 0px;left :
> 0px;">text</div>.
Isn't this then a good enough reason to also get rid of the style attribute?
:)
-Peter
Received on Friday, 9 August 2002 12:57:06 UTC