On Jan 21, 2009, at 2:31 PM, Remko Tronçon wrote:
Shouldn't it be specified how the 'value' field should be interpreted for things like 'icon' etc.? Should this be limited to http URIs? I guess it is with data forms, because you can only have one string as a value child?
Yes, this should be specified.
Shouldn't the security considerations mention something about fetching the icons OOB? (i.e. exposing unwanted information about location etc., potential malicious files, ...)
Yes. Particularly since there have been attacks against various image libraries.
