The obvious thing to do is to create a new datatype representing styles. There are a lot of things to worry about, e.g. colors and lengths and all of those types, which means it'd need a bit of engineering effort. But you want this because there are a lot of non-canonical representations and Javascript injection vectors to worry about. (This is speaking from my experience with HTML Purifier)
Adam Chlipala <[email protected]> wrote: >A number of folks have asked to be able to use the HTML 'style' >attribute in Ur/Web. It's easy enough to add the attribute with type >[string], but this seems likely to allow for some sort of code >injection >attack. At a minimum, URL's can appear in styles and be interpreted as > >URL's, which seems to function as a "universal interpreter" for >whatever >programming languages browsers want to support via URL's! (At a >minimum, there are "javascript:" URL's.) > >So, any suggestions on "the right way" to support 'style' in Ur/Web? >I'm unlikely to accept an idea that leaves open code injection >vulnerabilities; one important global guarantee of Ur/Web is that code >injection attacks are impossible. But I don't have such a clear idea >of >(a) what the attack possibilities are in CSS style code and (b) what >the >appropriate countermeasures are, including how they should be >represented with typed combinators in Ur/Web. > >_______________________________________________ >Ur mailing list >Ur@impredica -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
