[Ur] Supporting 'style' attribute securely
Marc Weber
marco-oweber at gmx.de
Sun Apr 15 14:09:43 EDT 2012
I still don't get it.
Who is going to add style attributes causing injections?
The user (client side): can do so anyway by using javascript: urls in the browser
window or firebug lite like tools
The programmer? The programmer can do whatever he/she wants anyway.
In which way is it different from the programmer using eval in an unsafe
way?
So which (ab)use case is this talk about?
Is it about rejecting such:
<div style="background-img:url(...)"></div>
Sorry for my stupid questions. Just want to understand what this is
about.
Marc Weber
More information about the Ur
mailing list