So what are people looking for? For a CSS parser built into the urweb compiler which recognizes valid links and checks them against a valid list of links which may be used for CSS ? Then injection attacks would be impossible because putting arbitrary CSS code from a database into style attributes would be rejected because it can't be parsed at runtime?
Can somebody of you give some illustration about how such injection attack with style attributes would look like? If its only about protecting against putting arbitrary text from db into style=".." attributes - then we have to worry whether we can trust the programmer .. because he might add leaks in urweb language which you can't prevent such as fun page_output_db () = dump_whole_db .. Thus nobody is going to protect against mistakes done by programmers. To some degree you have trust what they are doing. Whatever you do I'd like to remind of the usability of SASS like dialects for writing styles. Oh last but not least: URLs in stiles (with hex something decoding) is used to speed up loading of pages as well because no additional small icons have to be fetched adding yet another round trip.. Marc Weber _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
