[Ur] Supporting 'style' attribute securely
Marc Weber
marco-oweber at gmx.de
Sun Apr 15 14:25:00 EDT 2012
Excerpts from Adam Chlipala's message of Sun Apr 15 20:12:00 +0200 2012:
> It's just like using eval() in an unsafe way, but Ur/Web rules out
> eval()!
Can't you just use it as 'external' function and write a binding for
it in .urp files?
So the point is that all problems are known by reading the .urp file?
So this discussion is about both: The urweb compiler and the HTML parser
you wrote to sanitize / verify that user typed well formed HTML?
Thus if a user wants to design his newsletter for a shop he should be
prevented from using <div style="something using a milicious url"> or
the like?
Marc Weber
More information about the Ur
mailing list