I've been reading through the specs related to media queries.
It looks like they are used in a few places:
HTML: <link rel="stylesheet" media="[media-query]">
CSS: @import "[url]" [media-query] ;
CSS: @media [media-query] { [stylesheet-element] }
JS: window.matchMedia([media-query])
http://dev.w3.org/csswg/mediaqueries4/#syntax seems to be the
controlling document for the syntax.
Productions named "expression" worry me, so I'm inclined to substitute
for media-feature, a white-list derived from
https://developer.mozilla.org/en-US/docs/Web/Guide/CSS/Media_queries
Besides that, I plan to derive an allowed token list
["only", "and", "not", ",", "<", "<=", ...] + known_media_types +
known_media_features
and then allow any string of CSS tokens that has balanced parentheses
and consists only of those tokens.
The media spec introduces a ratio value-type in
http://dev.w3.org/csswg/mediaqueries4/#values to allow comparisons of
aspect ratios like 4 / 3.
The use of "/" in media-queries and the fact that media queries appear
adjacent to a URL in @import means that we might want to guard against
media queries that could also be interpreted as URLs.
I propose prefixing with "only" all media queries that do not start
with "only" and consist of only commas and known media types per
http://dev.w3.org/csswg/mediaqueries4/#media0 :
> The keyword ‘only’ can also be used to hide style sheets from older
> user agents. User agents must process media queries starting with
> ‘only’ as if the ‘only’ keyword was not present.
--
---
You received this message because you are subscribed to the Google Groups
"Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
