- From: Andrew Fedoniouk <news@terrainformatica.com>
- Date: Wed, 4 Apr 2007 13:00:53 -0700
- To: "fantasai" <fantasai.lists@inkedblade.net>, <www-style@w3.org>
----- Original Message -----
From: "fantasai" <fantasai.lists@inkedblade.net>
To: <www-style@w3.org>
Sent: Wednesday, April 04, 2007 1:22 PM
Subject: [becss] security notice
|
| The BeCSS draft should note somewhere that the 'binding'
| property can introduce scripting and, unlike other CSS
| properties, may need to be stripped out of user-submitted
| content on sites like LiveJournal and weblogs.
|
| ~fantasai
|
In principle
'binding', 'behavio[u]r' and the like attributes
shall not have url/url/iri values - just id's.
In any case binding is technology dependent - not all resources
can be presented as URL's now.
As an example, css:
li.myclass { binding: MyButton; }
and in script (global namespace):
var MyButton =
{
onmousedown: function() {...}
onmouseup: function() {...}
}
here binding point defines one 'class' from many in some script file.
The same can be applied to XBL and other similar technologies.
And more: ideally CSS should also allow import of
scripts and other resources:
@media screen
{
@import-resource application/javascript "./my-componentes.js"
}
This way single CSS file may be used for styling presentation and behavior
allowing HTML be used for semantic purposes only.
Andrew Fedoniouk.
http://terrainformatica.com
Received on Wednesday, 4 April 2007 19:59:50 UTC