I still don't get it. Who is going to add style attributes causing injections?
The user (client side): can do so anyway by using javascript: urls in the browser window or firebug lite like tools The programmer? The programmer can do whatever he/she wants anyway. In which way is it different from the programmer using eval in an unsafe way? So which (ab)use case is this talk about? Is it about rejecting such: <div style="background-img:url(...)"></div> Sorry for my stupid questions. Just want to understand what this is about. Marc Weber _______________________________________________ Ur mailing list [email protected] http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
