[css-forms-1] control-value() security and handling · Issue #11860 · w3c/csswg-drafts (original) (raw)

control-value() is morally equivalent to attr(), just with some special handling of the values since we know something about types. So, it should work identically to attr():

• it's an "arbitrary substitution function"
• it has the same tainting behavior as attr() (and so can't be used in a URL)