2010/3/10 <[email protected]>: > > Comment #3 on issue 1155 by felix8a: keydown handlers attached to document > http://code.google.com/p/google-caja/issues/detail?id=1155 > > yeah, tabindex=-1 on the virtual document might be a good idea, I'll do some > tests. > > whitelisting tabindex -1 and 0 should be harmless in any case. all that can > do is make an element focusable > or remove it from the tab order.
That sounds like an excellent first step to allowing tabindex manipulation. > positive tabindex values might interfere with tab order in the container, > which may or may not be an issue. it > would be an annoyance, but the security risk seems low. (if the container > happens to have a name/password > entry, a user might expect to type "name <tab> password <enter>", and a > gadget on the same page might > use tabindex to trick users into typing the password into its entry. Alternatively, we could restrict tabindices to [0, 1e6) and rewrite the tab index to (moduleIndex + 1) * 1e6 + tabIndex > -- > You received this message because you are listed in the owner > or CC fields of this issue, or because you starred this issue. > You may adjust your issue notification preferences at: > http://code.google.com/hosting/settings >
