145 – unescaped html in "Valid CSS informations" and security

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 145 - unescaped html in "Valid CSS informations" and security

Summary: unescaped html in "Valid CSS informations" and security

Status:	VERIFIED FIXED

Alias:	None

Product:	CSSValidator
Classification:	Unclassified
Component:	text area (show other bugs)
Version:	CSS Validator
Hardware:	Other other

Importance:	P1 normal
Target Milestone:	---
Assignee:	Philippe Le Hegaret
QA Contact:	qa-dev tracking

URL:	http://jigsaw.w3.org/css-validator/va...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-02-27 15:34 UTC by Philippe Le Hegaret
Modified:	2005-12-18 16:25 UTC (History)
CC List:	0 users

See Also:

Attachments

Description Philippe Le Hegaret 2003-02-27 15:34:57 UTC

unescaped html in "Valid CSS informations" is a potential security issue.

simple test case[1]:

body:before
{
  content: "<script>alert('Hello World')</script>";
}

Comment 1 Paul Arzul 2003-03-12 07:12:34 UTC

"[BUG] Generated content is unescaped"[1] is related.

- p

1. http://lists.w3.org/Archives/Public/www-validator-css/2002Nov/0026.html

Comment 2 Bj 2004-03-01 04:22:20 UTC

See also http://www.w3.org/mid/4049fe68.650248878@smtp.bjoern.hoehrmann.de