On 6/2/14, 4:21 PM, Giorgio Maone wrote:
I do hope any filter already blocked out <link> elements, as CSS has been a XSS vector for a long time
<link> elements without "stylesheet" in rel don't load CSS, though. Hence the worries about blacklist vs whitelist... -Boris
