Along with supporting RDFa 1.1 I'm planning to add support for <link> and
rel="" in our RDFa code.
To protect against injection of HTML rel values (including
rel="stylesheet") I'm going to be converting all RDFa terms like
"foo" to
CURIEs like ":foo" (these are almost exactly the same, and the "edge
case"
shouldn't happen at all in RDFa 1.1).
((I really wanted to wrap everything except protocol whitelisted AbsIRIs
in safe CURIEs making that "[rdf:type]" and "[:stylesheet]" but
unfortunately it seems safe CURIEs are only valid in about and resource))
Anyone worried about the possibility that there's a badly written browser
out there that'll treat <link rel=":stylesheet" href="...">
as a valid
stylesheet and include it is welcome to try out any browser they can think
of and bring it up.
I've written a test case for it
http://bl.ocks.org/dantman/5695980 if the
bg there is red instead of blue then it's unsafe.
I've tested IE 6, IE 7, IE 8, IE 9, IE 10, Opera 10, Opera 12, Safari 5
(Windows), iOS 6's browser, Firefox 3.0, Firefox 21.0, Android 4's stock
browser, and Chrome 27. They're all safe.
--
~Daniel Friesen (Dantman, Nadir-Seen-Fire) [
http://danielfriesen.name/]