----- Original Message -----
From: "fantasai" <fantasai.lists inkedblade.net>
To: <www-stylew3.org>
Sent: Wednesday, April 04, 2007 1:22 PM
Subject: [becss] security notice
|
| The BeCSS draft should note somewhere that the 'binding'
| property can introduce scripting and, unlike other CSS
| properties, may need to be stripped out of user-submitted
| content on sites like LiveJournal and weblogs.
|
| ~fantasai
|
In principle
'binding', 'behavio[u]r' and the like attributes
shall not have url/url/iri values - just id's.
In any case binding is technology dependent - not all
resources
can be presented as URL's now.
As an example, css:
li.myclass { binding: MyButton; }
and in script (global namespace):
var MyButton =
{
onmousedown: function() {...}
onmouseup: function() {...}
}
here binding point defines one 'class' from many in some
script file.
The same can be applied to XBL and other similar
technologies.
And more: ideally CSS should also allow import of
scripts and other resources:
media screen
{
import-resource application/javascript
"./my-componentes.js"
}
This way single CSS file may be used for styling
presentation and behavior
allowing HTML be used for semantic purposes only.
Andrew Fedoniouk.
http://terrainformatica.c
om
|
