The new CSS2 filter has been implemented in the unstable branch. This means CSS can now be used again by users of the unstable branch. It should be reasonably safe; the issues are covered by this comment in SaferFilter.java: /* WARNING: this is not as thorough as the HTML filter - we do not * enumerate all possible * attributes etc. * New versions of the spec could conceivably lead to new risks * How this would happen: * a) Another way to include URLs, apart from @import and url() (we are * safe from new @ directives though) * b) A way to specify the MIME type of includes, IF those includes * could be a risky type (HTML, CSS, etc) * This is still FAR more rigorous than the old filter though. If you * want extra paranoia, turn on * paranoidStringCheck, which will throw an exception when it encounters * strings with colons in; * then the only risk is something that includes, and specifies the type * of, HTML, XML or XSL. */
Kudos to the W3C for providing a grammar in the spec, and making it consistent enough (unlike HTML) that it can be dealt with this way. -- Matthew Toseland [EMAIL PROTECTED] [EMAIL PROTECTED] Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/
msg06174/pgp00000.pgp
Description: PGP signature
