On Mar 30, 11:46 am, "bste...@mozilla.com" <bste...@mozilla.com> wrote:
> > Actually, all event-handling HTML attributes will be blocked, as they > are a common vector for XSS, e.g. <body onload="evil()">. However, > sites will still be able to do event handling in the following ways: but evil() can only exist as a javascript built-in function or as a function defined in a white-listed source. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security