Closed Bug 598090 Opened 11 years ago Closed 11 years ago
Sync up the list of white-listed HTML tags and attributes in the sanitizing fragment sink with the HTML5 spec
The list of tags and attributes that we use for the white-list used in the sanitizing fragment sink is out of date. I'm filing this bug so that I can go through it and add any missing HTML5 tags/attrs in order for us to comply with HTML5.
Is @autofocus safe? Is @form safe if it points outside the editable area? What about the other @form* attributes? What about @radiogroup? Not sure what @pattern, @optimum, @scoped really do.
(In reply to comment #3) > Is @autofocus safe? Yes, it doesn't run any scripts. > Is @form safe if it points outside the editable area? What about the other > @form* attributes? Hmm, good point. I think we should not allow those attributes... Will submit a new patch soon. > What about @radiogroup? Looks safe to me. > Not sure what @pattern, @optimum, @scoped really do. @pattern allows one to specify the valid patterns of text that an input control accepts. @optimum allows one to specify the optimum value in the gague for a <meter> element. @scoped allows one to specify that a <style> element only affects its parent subtree. We don't generally allow the style element, so this is useless most of the time, except when we specifically allow the paranoid fragment sink to accept <style> elements, which would cause this to come to play.
With @form* attributes removed.
Comment on attachment 476891 [details] [diff] [review] Patch (v2) r=me
Attachment #476891 - Flags: review?(bzbarsky) → review+
Attachment #476891 - Flags: approval2.0? → approval2.0+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b7
Comment on attachment 476891 [details] [diff] [review] Patch (v2) a=LegNeato for 18.104.22.168 and 22.214.171.124
Is there going to be an automated test included with this?
(In reply to comment #11) > Is there going to be an automated test included with this? Not really. The benefit of automated tests here is very low, and the cost of creating one is actually really high (the number of possible combinations to test is scary).
I know. Imagine having to test them all by hand because there is no automated test.
As a way to test it, you can open a tab with data:text/html,<input autofocus value=test>, and another with http://www.mozilla.org/editor/midasdemo/. In the former, click the body, Cmd+A and Cmd+C, then go to midasdemo and paste inside the editable area, then click View HTML Source and make sure that the autofocus attribute is there.
You need to log in before you can comment on or make changes to this bug.