Re: [becss] security notice

----- Original Message ----- 
From: "fantasai" <fantasai.lists@inkedblade.net>
To: <www-style@w3.org>
Sent: Wednesday, April 04, 2007 1:22 PM
Subject: [becss] security notice


| 
| The BeCSS draft should note somewhere that the 'binding'
| property can introduce scripting and, unlike other CSS
| properties, may need to be stripped out of user-submitted
| content on sites like LiveJournal and weblogs.
| 
| ~fantasai
|

In principle
'binding', 'behavio[u]r' and the like attributes 
shall not have url/url/iri values - just id's.

In any case binding is technology dependent - not all resources
can be presented as URL's now.

As an example, css:

li.myclass { binding: MyButton; }

and in script (global namespace):

var MyButton = 
{
   onmousedown: function() {...}
   onmouseup: function() {...}
}

here binding point defines one 'class' from many in some script file.
The same can be applied to XBL and other similar technologies.

And more: ideally CSS should also allow import of 
scripts and other resources:

@media screen 
{
    @import-resource application/javascript "./my-componentes.js"
}

This way single CSS file may be used for styling presentation and behavior
allowing HTML be used for semantic purposes only.

Andrew Fedoniouk.
http://terrainformatica.com

 

Received on Wednesday, 4 April 2007 19:59:50 UTC