[whatwg] External document subset support

Giovanni Campagna scampa.giovanni at gmail.com
Fri Jun 19 04:40:07 PDT 2009

2009/6/19 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> You can easily include a cross-domain script using a cross-domain DTD; just
> attach the malware as
> <!ATTLIST body onload CDATA “{ sniper.shoot(); }” >
> and hope for the worst.
> Chris

You need to own the external subset, though, in order to add that
<!ATTLIST>. It is like saying that shared JS libraries are dangerous
because you import code from other sources.


More information about the whatwg mailing list