The main benefit is that with a few class tags jquery can work miracles. Without them dynamic js is much more difficult (or at least tediuos) . Think of them as tags which we can use to identify dom elements, the purpose of which is normally to attach app logic (js code) to them.
Brevity... Tablet... And all that. On Jul 11, 2012 11:06 PM, "Ron Wilson" <ronw.m...@gmail.com> wrote: > On 7/4/12, Stephan Beal <sgb...@googlemail.com> wrote: > > On Wed, Jul 4, 2012 at 10:34 AM, Joan Picanyol i Puig < > > lists-fos...@biaix.org> wrote: > >> > We will have to enable the "style" attribute on tags in the wiki > >> > content (style is currently filtered out by the wiki out of safety > >> > concerns), and if anyone can name a concrete security reason why that > >> > would be a Bad Idea, please speak up! > >> > >> This sounds like a wide open door for XSS attacks. > > > > Is there a specific attack (or attacks) then you can imagine which might > be > > a problem for us? (i'm no security expert, either!) During our meeting we > > came to the conclusion that allowing style attributes "should" be a > benign > > change, but we're also aware that there are people out there who are more > > devious than us and how might come up with abuses. > > > > How about if we restricted style attributes to class attributes (as > opposed > > to concrete style information)? e.g. this would be legal: > > > > <span class="wiki-bold">...</span> > > but this would not (as it currently is not): > > <span style="font-weight: bold">...</span> > > The Class attribute would certainly be safer, mostly because the value > of a class attribute is an identifier, not an expression. > > Still not sure why you think enabling these attributes would be > necessary, but having limited attributes like class would add some > value in terms of presentation. Also, this opens up the possibility of > using so-called "micro formats" to facilitate automatic extraction of > information. Example: <div class="date">Jul 4, 2012</div> > _______________________________________________ > fossil-users mailing list > fossil-users@lists.fossil-scm.org > http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users >
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users
