2009/3/24 Matthew Toseland <[email protected]>: > On Saturday 21 March 2009 05:17:37 Daniel Cheng wrote: >> 2009/3/21 Matthew Toseland <[email protected]>: >> > On Friday 20 March 2009 06:06:02 [email protected] wrote: >> >> Author: j16sdiz >> >> Date: 2009-03-20 06:06:00 +0000 (Fri, 20 Mar 2009) >> >> New Revision: 26115 >> >> >> >> Modified: >> >> trunk/freenet/src/freenet/clients/http/filter/CSSTokenizerFilter.java >> >> trunk/freenet/src/freenet/clients/http/filter/CSSTokenizerFilter.jflex >> >> Log: >> >> More CSS fix >> >> >> > ... >> >> Modified: >> > trunk/freenet/src/freenet/clients/http/filter/CSSTokenizerFilter.jflex >> >> =================================================================== >> >> --- > trunk/freenet/src/freenet/clients/http/filter/CSSTokenizerFilter.jflex >> > 2009-03-20 02:56:03 UTC (rev 26114) >> >> +++ > trunk/freenet/src/freenet/clients/http/filter/CSSTokenizerFilter.jflex >> > 2009-03-20 06:06:00 UTC (rev 26115) >> >> @@ -438,7 +438,7 @@ >> >> {IDENT}"(" { >> >> String s = yytext(); >> >> if(s.toLowerCase().startsWith("url")) >> > throwError(l10n("invalidURLContents")); >> >> - if(!s.toLowerCase().startsWith("rgb")) >> > throwError(l10n("invalidURLContents")); >> >> + if(!s.toLowerCase().startsWith("rgb") >> > && !s.toLowerCase().startsWith("attr")) >> > throwError(l10n("invalidURLContents")); >> > >> > Why startsWith? What functions are attr*? >> >> you can do something like this in css: >> h1:after { content: attr(title) } >> >> <h1 title="xxxx"> ... </h1> >> >> would give xxxx in the text. > > And this is always safe? The content is not parsed or mangled, it cannot > contain markup, it is just displayed? >
just text or images [ using url( attr( .. ) ) ... this would rejected as invalid url ], no html, no scripts. _______________________________________________ Devl mailing list [email protected] http://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
