[whatwg] External document subset support

Giovanni Campagna scampa.giovanni at gmail.com
Fri Jun 19 04:40:07 PDT 2009


2009/6/19 Kristof Zelechovski <giecrilj at stegny.2a.pl>:
> You can easily include a cross-domain script using a cross-domain DTD; just
> attach the malware as
>
> <!ATTLIST body onload CDATA “{ sniper.shoot(); }” >
>
> and hope for the worst.
>
> Chris

You need to own the external subset, though, in order to add that
<!ATTLIST>. It is like saying that shared JS libraries are dangerous
because you import code from other sources.

Giovanni



More information about the whatwg mailing list