Some initial informal testing shows that import links do make it through the filters I have readily handy. It was quick work to write up some custom filters, however. On Jun 2, 2014 1:52 PM, "Boris Zbarsky" <bzbar...@mit.edu> wrote:
> On 6/2/14, 4:21 PM, Giorgio Maone wrote: > >> I do hope any filter already blocked out <link> elements, as CSS has >> been a XSS vector for a long time >> > > <link> elements without "stylesheet" in rel don't load CSS, though. > > Hence the worries about blacklist vs whitelist... > > -Boris > >