2009/6/19 Kristof Zelechovski <[email protected]>: > You can easily include a cross-domain script using a cross-domain DTD; just > attach the malware as > > <!ATTLIST body onload CDATA “{ sniper.shoot(); }” > > > and hope for the worst. > > Chris
You need to own the external subset, though, in order to add that <!ATTLIST>. It is like saying that shared JS libraries are dangerous because you import code from other sources. Giovanni
