Currently <fieldset> and <label> elements belong to unsafe part of HTML5_Forms module. When stripped of form and for attributes they are harmless. I think that hiding them behind HTML.Trusted flag, just as other form elements (and scripts) are, is too drastic a measure.
All safe elements: <fieldset>, <label> and <progress> should be extracted to a separate module (HTML5_SafeForms?). The module should be guarded by config setting (%HTML.SafeForms), allowing it to be enabled in untrusted mode.
Also, users expect that <fieldset> to be enabled by default:
Currently
<fieldset>and<label>elements belong to unsafe part ofHTML5_Formsmodule. When stripped offormandforattributes they are harmless. I think that hiding them behindHTML.Trustedflag, just as other form elements (and scripts) are, is too drastic a measure.All safe elements:
<fieldset>,<label>and<progress>should be extracted to a separate module (HTML5_SafeForms?). The module should be guarded by config setting (%HTML.SafeForms), allowing it to be enabled in untrusted mode.Also, users expect that
<fieldset>to be enabled by default: