This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
unescaped html in "Valid CSS informations" is a potential security issue. simple test case[1]: body:before { content: "<script>alert('Hello World')</script>"; }
"[BUG] Generated content is unescaped"[1] is related. - p 1. http://lists.w3.org/Archives/Public/www-validator-css/2002Nov/0026.html
See also http://www.w3.org/mid/4049fe68.650248878@smtp.bjoern.hoehrmann.de