From 790a339db18f1c697052446728641c9e6ef06bdb Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 1 May 2010 19:28:28 -0400 Subject: htmlscrubber: Also allow some other html5 tags: canvas, progress, meter, ruby, rt, rp, details, summary. --- doc/bugs/html5_support.mdwn | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) (limited to 'doc/bugs/html5_support.mdwn') diff --git a/doc/bugs/html5_support.mdwn b/doc/bugs/html5_support.mdwn index 1ca45f46d..48b63b29a 100644 --- a/doc/bugs/html5_support.mdwn +++ b/doc/bugs/html5_support.mdwn @@ -68,23 +68,29 @@ HTML5](http://www.w3.org/TR/html5-diff/). > * Use nav for the actionbar > * Use placeholder in the search box. Allows closing > [[this_todo|Add_label_to_search_form_input_field]] +> * Use details tag instead of the javascript in the toggle plugin. +> (Need to wait on browser support probably.) > --[[Joey]] # htmlscrubber.pm needs to not scrub new HTML5 elements * [new elements](http://www.w3.org/TR/html5-diff/#new-elements) -> Most of these can be supported trivially, since they are just semantic -> markup. Make a list of these, and their attributes (and which attributes -> can contain urls or other javascript injection mechanisms), and I can add -> them. (Added several now.) Others, like `embed` are *scary*. --[[Joey]] - +> Many added now. +> +> Things I left out, too hard to understand today: +> Attributes contenteditabl, contextmenu, +> data-*, draggable, hidden, role, aria-*. Tags command, keygen, +> output. +> +> Clearly unsafe: embed. +> +> Apparently cannot be used w/o javascript: menu. +> > I have not added the new `ping` attribute, because parsing a > space-separeated list of urls to avoid javascript injection is annoying, > and the attribute seems generally dubious. -> -> Need to understand better the attributes contenteditabl, contextmenu, -> data-*, draggable, hidden, role, aria-*. Have not added those. --[[Joey]] +> --[[Joey]] # HTML5 Validation and t/html.t -- cgit v1.2.3