Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax <select> parser #1086

Open
josepharhar opened this issue Oct 9, 2024 · 1 comment
Open

Relax <select> parser #1086

josepharhar opened this issue Oct 9, 2024 · 1 comment
Assignees
@zcorpan
Labels
concerns: compatibility topic: HTML venue: WHATWG Specifications in a WHATWG Workstream

Comments

@josepharhar
Copy link

josepharhar commented Oct 9, 2024
edited
Loading

Request for Mozilla Position on an Emerging Web Specification

Other information

whatwg/html#10310 (comment)
This was referenced Oct 9, 2024
Open
Open
@zcorpan zcorpan added topic: HTML venue: WHATWG Specifications in a WHATWG Workstream concerns: compatibility labels Oct 10, 2024
@zcorpan zcorpan self-assigned this Oct 10, 2024
@zcorpan
Copy link
Member

zcorpan commented Oct 10, 2024

Per whatwg/html#10310 (comment) the web compat situation needs more clarity. But a parser change is needed here in order to support other elements in a custom select, and the direction proposed here seems like the best for web developers long-term.

I reviewed the security risk of this change in whatwg/html#10310 (comment)

Conclusion: sanitizers need to have general protection against mXSS, and so this change doesn't introduce new mXSS vectors, even though the parsed tree can be very different between new and legacy parsers.

I suggest position: positive.

@hsivonen should sign off here before setting a position label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zcorpan zcorpan

Labels
concerns: compatibility topic: HTML venue: WHATWG Specifications in a WHATWG Workstream
Projects
standards-positions review
Status: Position is proposed
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zcorpan @josepharhar