WHATWG
2024-04-23
plaintext logs
prev next
source on github
07:23
<zcorpan>
The one about height and width am I right in thinking "field-sizing: content" fixes that?
I think so
07:25
<zcorpan>
Still no solution to inline buttons afaik https://twitter.com/ned/status/1051798190951940096
11:36
<Luke Warlow>
Does anyone happen to know if the sanitizer API has a list of all event handler attribute names? Or is it piggy backing off some other mechanism?
15:41
<annevk>
Luke Warlow: that part isn't written down yet. They will prolly end up being part of a larger list of attributes in the end, but could be made reusable. However, they would not include event handler attributes of XMLHttpRequest and the like.
15:42
<Luke Warlow>
Luke Warlow: that part isn't written down yet. They will prolly end up being part of a larger list of attributes in the end, but could be made reusable. However, they would not include event handler attributes of XMLHttpRequest and the like.
If they could be a separate list that's merged into the other than that would be useful. Trusted Types could piggy back of that list in that case?
15:42
<annevk>
This should probably be discussed with more people, but it doesn't seem unreasonable to me to blocklist all attributes starting with "on" for this purpose.
15:44
<Luke Warlow>
Interestingly that is how I had the spec originally (it's still implemented that way in WebKit for now). Where do you think is best to raise an issue? I think it makes sense to align TT and the sanitizer in this regard
15:56
<annevk>

Luke Warlow: I think it would make sense to raise an issue against the Sanitizer API suggesting that and then flag it for discussion during WHATNOT to see what people think as it would essentially enshrine the "on*" pattern. Both that we shouldn't use "on*" attributes for other things and that things that don't start with "on" should not be event handlers.

The small bit of complexity with the Sanitizer API is that it aims to standardize a safelist, but it will rely on "known attributes/elements" as well so there's a blocklist underneath, which might as well use "on*" for future proofing.

16:06
<Luke Warlow>
https://github.com/WICG/sanitizer-api/issues/226 - hopefully it's worded in a way that makes sense, I'll link to it on the WHATNOT meeting issue