26982 – 1.9.1 , list before CSRF, first item

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26982 - 1.9.1 , list before CSRF, first item

Summary: 1.9.1 , list before CSRF, first item

Status:	RESOLVED FIXED

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	HTML5 spec (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P2 editorial
Target Milestone:	---
Assignee:	This bug has no owner yet - up for the taking
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-06 09:49 UTC by Stefan Schumacher
Modified:	2016-04-25 18:44 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description Stefan Schumacher 2014-10-06 09:49:33 UTC

Now:
When allowing harmless-seeming elements like img, it is important to whitelist any provided attributes as well.
Suggestion:
When allowing harmless-seeming elements like img, it is important to whitelist only the necessary attributes (that are needed for this specific demand).
Comment:
provided ist an expression that can be used in any way. In this case, it could be misunderstood (maybe not only by non native english speakers). The point should be that only safe attributes should be whitelisted.

Comment 1 Arron Eicholz 2016-04-25 18:44:25 UTC

HTML5.1 Bugzilla Bug Triage: fixed per suggestion.

https://github.com/w3c/html/pull/252

If this resolution is not satisfactory, please copy the relevant bug details/proposal into a new issue at the W3C HTML5 Issue tracker: https://github.com/w3c/html/issues/new where it will be re-triaged. Thanks!