<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<!DOCTYPE bugzilla SYSTEM "https://www.w3.org/Bugs/Public/page.cgi?id=bugzilla.dtd">

<bugzilla version="5.0.4"
          urlbase="https://www.w3.org/Bugs/Public/"
          
          maintainer="sysbot+bugzilla@w3.org"
>

    <bug>
          <bug_id>26982</bug_id>
          
          <creation_ts>2014-10-06 09:49:33 +0000</creation_ts>
          <short_desc>1.9.1 , list before CSRF, first item</short_desc>
          <delta_ts>2016-04-25 18:44:25 +0000</delta_ts>
          <reporter_accessible>1</reporter_accessible>
          <cclist_accessible>1</cclist_accessible>
          <classification_id>1</classification_id>
          <classification>Unclassified</classification>
          <product>HTML WG</product>
          <component>HTML5 spec</component>
          <version>unspecified</version>
          <rep_platform>PC</rep_platform>
          <op_sys>Linux</op_sys>
          <bug_status>RESOLVED</bug_status>
          <resolution>FIXED</resolution>
          
          
          <bug_file_loc></bug_file_loc>
          <status_whiteboard></status_whiteboard>
          <keywords></keywords>
          <priority>P2</priority>
          <bug_severity>editorial</bug_severity>
          <target_milestone>---</target_milestone>
          
          
          <everconfirmed>1</everconfirmed>
          <reporter name="Stefan Schumacher">stefan</reporter>
          <assigned_to name="This bug has no owner yet - up for the taking">dave.null</assigned_to>
          <cc>arronei</cc>
    
    <cc>mike</cc>
    
    <cc>public-html-admin</cc>
    
    <cc>public-html-wg-issue-tracking</cc>
          
          <qa_contact name="HTML WG Bugzilla archive list">public-html-bugzilla</qa_contact>

      

      

      

          <comment_sort_order>oldest_to_newest</comment_sort_order>  
          <long_desc isprivate="0" >
    <commentid>112733</commentid>
    <comment_count>0</comment_count>
    <who name="Stefan Schumacher">stefan</who>
    <bug_when>2014-10-06 09:49:33 +0000</bug_when>
    <thetext>Now:
When allowing harmless-seeming elements like img, it is important to whitelist any provided attributes as well.
Suggestion:
When allowing harmless-seeming elements like img, it is important to whitelist only the necessary attributes (that are needed for this specific demand).
Comment:
provided ist an expression that can be used in any way. In this case, it could be misunderstood (maybe not only by non native english speakers). The point should be that only safe attributes should be whitelisted.</thetext>
  </long_desc><long_desc isprivate="0" >
    <commentid>126106</commentid>
    <comment_count>1</comment_count>
    <who name="Arron Eicholz">arronei</who>
    <bug_when>2016-04-25 18:44:25 +0000</bug_when>
    <thetext>HTML5.1 Bugzilla Bug Triage: fixed per suggestion.

https://github.com/w3c/html/pull/252

If this resolution is not satisfactory, please copy the relevant bug details/proposal into a new issue at the W3C HTML5 Issue tracker: https://github.com/w3c/html/issues/new where it will be re-triaged. Thanks!</thetext>
  </long_desc>
      
      

    </bug>

</bugzilla>