The new CSS2 filter has been implemented in the unstable branch. This means CSS can now be used again by users of the unstable branch. It should be reasonably safe; the issues are covered by this comment in SaferFilter.java: /* WARNING: this is not as thorough as the HTML filter - we do not * enumerate all possible * attributes etc. * New versions of the spec could conceivably lead to new risks * How this would happen: * a) Another way to include URLs, apart from @import and url() (we are * safe from new @ directives though) * b) A way to specify the MIME type of includes, IF those includes * could be a risky type (HTML, CSS, etc) * This is still FAR more rigorous than the old filter though. If you * want extra paranoia, turn on * paranoidStringCheck, which will throw an exception when it encounters * strings with colons in; * then the only risk is something that includes, and specifies the type * of, HTML, XML or XSL. */
Kudos to the W3C for providing a grammar in the spec, and making it consistent enough (unlike HTML) that it can be dealt with this way. -- Matthew Toseland toad at amphibian.dyndns.org amphibian at users.sourceforge.net Freenet/Coldstore open source hacker. Employed full time by Freenet Project Inc. from 11/9/02 to 11/1/03 http://freenetproject.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20030107/d80abadb/attachment.pgp>
