254
edits
Platform/HTML5 sanitizer: Difference between revisions
→Gecko Requirements
| Line 6: | Line 6: | ||
* Have three attribute white lists: HTML, SVG and MathML. The attributes don't depend on the element they are on beyond the element namespace. | * Have three attribute white lists: HTML, SVG and MathML. The attributes don't depend on the element they are on beyond the element namespace. | ||
* Have three lists of attributes that take URLs. Drop the attributes when they have prohibited URLs (after trimming whitespace from the value). | * Have three lists of attributes that take URLs. Drop the attributes when they have prohibited URLs (after trimming whitespace from the value). | ||
** Resolve relative URLs into absolute ones using a per fragment base URL. (Is this correct for Gecko reqs?) | ** Resolve relative URLs into absolute ones using a per fragment base URL. (Is this correct for Gecko reqs? Current code uses the node's base URI. Is that right?) | ||
** Why is whitespace trimmed before the security check? | ** Why is whitespace trimmed before the security check? | ||
** However, allow any URL in the src attribute on the img element, because imgs are safe. {{bug|572637}} | ** However, allow any URL in the src attribute on the img element, because imgs are safe. {{bug|572637}} | ||