Re: [FEATURE REQ] warning on floats with no width (was Re: [WD]: CSS Layout problem)

From: Philippe Le Hegaret <plh@w3.org> Date: 24 Mar 2003 17:27:10 -0500 To: Paul Arzul <patricka@mkdoc.com> Cc: www-validator-css@w3.org Message-Id: <1048544830.7786.139.camel@jfouffa.w3.org> · This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:00:50 UTC

On Wed, 2003-03-12 at 07:29, Paul Arzul wrote:
> unescaped html in "Valid CSS informations" is a potential security issue.
> 
> simple test case[1]:
> 
> body:before
> {
>    content: "<script>alert('Hello World')</script>";
> }

This bug has been added in the bugzilla database:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=145

> Paul Arzul wrote:
> > 
> > a:before
> > {
> >   content: "<b>bold</b>";
> > }
> > 
> > validates fine - but the validator generated html produced is:
> > 
> > <b>bold</b>
> > 
> > when it should[1] be:
> > 
> > &lt;b&gt;bold&lt;/b&gt;

I believe this is the same bug.

Philippe