Robert Sayre wrote:
I realize this is a rough cut, but should the XHTML subset include CSS
code? I suspect it should, since CSS can contain URIs.
<http://www.feedparser.org/docs/html-sanitization.html#advanced.sanitization.why>
Brendan and I have had some disagreement on this issue. ;) In my opinion, the
examples in that document should throw a security exception from the
window.location getter in a reasonably designed UA.
2.) We should create a container element that invokes sanitization code.
Let's call it <livejournal-comment>.
I think any model that assumes that the only way we get content is by parsing it
is more or less doomed to failure. Unless <livejournal-comment> has the same
effect when someone clones nodes they got via XMLHttpRequest and then inserts
them as kids of it?
-Boris
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
