(In reply to Boris Zbarsky [:bz] from comment #3) > I'm not sure why you decided to move this back to the wrong product.... Because I guess that part is for implementing an error message It is possible to allow it like presto based opera did (so it couldn’t allow XSS). Or just do like the <a> element : display the target address in the browser bottom when the mouse is over the button for clicking to lead to the destination address. I now realize this touch a broader issue so I opened a separate bug.
Please stop moving this into DOM. The code you want changed isn't in the DOM. If you move it here again, I will resolve the bug as invalid, because as a bug against the DOM implementation it _is_ invalid. There is no problem with the DOM implementation here. > It would need to : > — blacklist protocols correctly on <frame> ; <iframe> ; <object> ; <a>. Or either don’t > allow them (seems problematic for <a>) Any sane sanitizer uses a whitelist and this whitelist does not include <frame>, <iframe>, or <object> at all. <a> will be on the whitelist, but will have its href checked against a scheme whitelist. And yes, the worry is whitelisting the longdesc attribute without considering the risks.