| 00:09 | <gsnedders> | https://github.com/html5lib/html5lib-python/issues/143 |
| 00:10 | <gsnedders> | Are data-* attributes safe from the POV of sanitizers? |
| 00:10 | <gsnedders> | I mean, so the spec requires that UAs do nothing for all of them, which should make them safe, right? |
| 00:21 | <MikeSmith> | unless some UAs do actually do something with them anyway |
| 00:21 | <MikeSmith> | which they shouldn't be doing but who knows |
| 00:22 | <Hixie> | gsnedders: for some definition of "safe", yes |
| 00:23 | <Hixie> | gsnedders: but e.g. maybe the page the markup is being embedded into has a script that uses data-* and has a vulnerability, in which case... |
| 00:23 | <Hixie> | i would avoid the word "safe" and always describe the attack scenario you're trying to avoid |
| 00:25 | <gsnedders> | Hixie: Well, surely this is true of any output of a sanitizer? If the page it is put into does stuff with script, it can be used for XSS. |
| 00:25 | <Hixie> | yep |
| 07:07 | <hsivonen> | From morning bugmail: "I liked that Firefox 27 would allow me to see many occurrences of |
| 07:07 | <hsivonen> | U+FFFD REPLACEMENT CHARACTER" |
| 07:07 | <hsivonen> | https://xkcd.com/1172/ is so true |
| 07:51 | SamB | doesn't really see there being a whole lot of point in using data-* in embedded HTML if a script, UA, or add-on isn't going to be looking at them ... well, or CSS ... |
| 07:54 | <Ms2ger> | UAs and add-ons shouldn't look at them |
| 07:54 | <Ms2ger> | They're just for script/style from the website itself |
| 08:58 | <zcorpan> | argh, it seems it's not possible to reopen issues in critic if the file the issue was about was removed |
| 14:06 | <zcorpan> | did blob.close(); blob.close(); throw before? |
| 14:13 | <jgraham> | I thought it didn't now? |
| 14:13 | <jgraham> | Or have I forgotten the way this changed? |
| 14:22 | <darobin> | blob.close(), blob.close(), you're my blob.close() |
| 14:24 | <zcorpan> | http://dev.w3.org/2006/webapi/FileAPI/#close-method |
| 14:25 | <zcorpan> | darobin: manboy? |
| 14:26 | <Ms2ger> | zcorpan, I think it was undefined before |
| 14:26 | <darobin> | zcorpan: Sex Bomb :) |
| 14:26 | <zcorpan> | darobin: ah |
| 14:27 | <zcorpan> | (i guess manboy lyrics is the other way around) |
| 14:29 | <darobin> | I don't know that song |
| 21:35 | <Hixie> | people interested in the HTML parser should post feedback on https://www.w3.org/Bugs/Public/show_bug.cgi?id=24833 |
| 23:25 | <zewt> | Your browser's current font size is not supported. Please reset to the standard font size. <- google, always setting such high standards for the web |
| 23:26 | <Hixie> | i have to admit i don't understand what docs is doing with that |
| 23:28 | <zewt> | that was gmail for me |
| 23:28 | <zewt> | er |
| 23:28 | <zewt> | maps |
| 23:29 | <jsbell> | Needless to say, searching on 'new' isn't helpful :P |
| 23:40 | SamB | guesses those ideas to fix all frameset URLs forever never actually went anywhere? |
| 23:46 | <Hixie> | zewt: maps? weird |
| 23:46 | <Hixie> | zewt: the new maps? |
| 23:54 | <zewt> | no |
| 23:55 | <Hixie> | zewt: in that case, good news! |
| 23:55 | <Hixie> | zewt: the new maps fixes this |
| 23:55 | <zewt> | new maps was horribly slow when I tried it |
| 23:55 | <Hixie> | try it again |
| 23:57 | SamB | had trouble finding Help in new maps ... |