On 02/06/2014 15:01, Boris Zbarsky wrote: > On 6/2/14, 8:54 AM, James M Snell wrote: >> So long as they're handled with the same policy and restrictions as the >> script tag, it shouldn't be any worse. > > It's worse for sites that have some sort of filtering on user-provided > content but don't catch this case right now, no? > > -Boris >
I do hope any filter already blocked out <link> elements, as CSS has been a XSS vector for a long time, courtesy of MSIE expressions and XBL bindings. -- G