- From: Kynn Bartlett <kynn@idyllmtn.com>
- Date: Fri, 9 Aug 2002 10:23:19 -0700
- To: "Peter Foti (PeterF)" <PeterF@SystolicNetworks.com>, "'www-style@w3.org'" <www-style@w3.org>
At 10:27 AM -0400 8/9/02, Peter Foti (PeterF) wrote:
>2. What would happen then for sites that allow users to enter data to be
>displayed, like on a message board? Suppose a user posts some style that
>adversely affects the layout of the rest of the page? For example:
><div>
> <style type="text/css">
> div
> {
> position : absolute;
> width : 100%;
> height : 100%;
> background-color : Black;
> top : 0px;
> left : 0px;
> }
> </style>
>
> <div>Ha Ha! I am blocking your entire page!</div>
></div>
I could do this now with inline style attributes too, though.
In fact, I did it once on LiveJournal -- I stuck a fixed button
(a link to my CSS book!) in the upper right corner of everyone's
friends lists. ;)
>This essentially opens up a very large security whole, in that you can cover
>the entire contents of a web page. This in itself is a good enough reason
>to NOT allow <style> elements within the body of a document.
But, see, most good message board software will filter out certain
tags. <style> would be one of those elements that's dumped.
--Kynn
--
Kynn Bartlett <kynn@idyllmtn.com> http://kynn.com
Chief Technologist, Idyll Mountain http://idyllmtn.com
Next Book: Teach Yourself CSS in 24 http://cssin24hours.com
Kynn on Web Accessibility ->> http://kynn.com/+sitepoint
Received on Friday, 9 August 2002 13:23:46 UTC