[whatwg] The <iframe> element and sandboxing ideas
Edward Z. Yang
edwardzyang at thewritingpot.com
Wed Jul 23 18:29:54 PDT 2008
Frode Børli wrote:
> <td colspan='javascript(a + 5)'></td>
>
> Where a javascript returns the value in the colspan attribute. Many
> server side HTML sanitizers would have to be updated - unless we
> introduce a proper sandbox.
Or the HTML sanitizer could have done things properly and checked if
colspan was a numeric value. :-)
Disclaimer: I am one of those authors of server side HTML sanitizers you
speak of.
More information about the whatwg
mailing list