RE: Why is the style tag restricted to the head? from Peter Foti (PeterF) on 2002-08-09 (www-style@w3.org from August 2002)

From: Peter Foti (PeterF) <PeterF@SystolicNetworks.com>
Date: Fri, 9 Aug 2002 13:21:11 -0400
To: "'www-style@w3.org'" <www-style@w3.org>
Message-ID: <A10A983C9DFBD4119F0300104B2EA6B70F9D00@ZIPPY>

> > Peter Foti (PeterF) <PeterF@SystolicNetworks.com>:
> > 
> > > 2.  What would happen then for sites that allow users to 
> > enter data to be
> > > displayed, like on a message board?  Suppose a user posts 
> > some style that
> > > adversely affects the layout of the rest of the page?  
> For example:
> > >
> > > <div>
> > >    <style type="text/css">
> > >    div
> > >    {
> > >       position : absolute;
> > >       width : 100%;
> > >       height : 100%;
> > >       background-color : Black;
> > >       top : 0px;
> > >       left : 0px;
> > >    }
> > >    </style>
> > >
> > >    <div>Ha Ha!  I am blocking your entire page!</div>
> > > </div>
> > >
> > > This essentially opens up a very large security whole, in 
> > that you can cover
> > > the entire contents of a web page.  This in itself is a 
> > good enough reason
> > > to NOT allow <style> elements within the body of a document.
> > 
> > You can do that right now on any web-based message board that 
> > allows for HTML in
> > posts.  I did something like that as a joke once.  <div 
> > style="position :
> > absolute;width : 100%;height : 100%;background-color : 
> > Black;top : 0px;left :
> > 0px;">text</div>.  
> 
> 
> Isn't this then a good enough reason to also get rid of the 
> style attribute?
> :)

Actually, I would like to ammend that last comment that I made.  I do not
feel that <style> elements should be included within the <body> element.  I
do not feel that the style attribute should be used to specify properies of
the element (because this does not separate presentation from structure).
However, I do agree with the idea of importing a stylesheet to be applied as
a scoped style sheet.

As it appears in the working draft
http://www.w3.org/TR/2002/WD-css-style-attr-20020515

Importing a style sheet to apply as a scoped style sheet: 
<div class="navigation">
          style="@import url(navigationstyles.css);">...</div>

I agree with this approach because presentation is still kept separate from
structure.  I'm glad to see that this is included in the working draft.

Regards,
Pete

Received on Friday, 9 August 2002 13:15:14 UTC