Currently <fieldset> and <label> elements belong to unsafe part of HTML5_Forms module. When stripped of form and for attributes they are harmless. I think that hiding them behind HTML.Trusted flag, just as other form elements (and scripts) are, is too drastic a measure.
All safe elements: <fieldset>, <label> and <progress> should be extracted to a separate module (HTML5_SafeForms?). The module should be guarded by config setting (%HTML.SafeForms), allowing it to be enabled in untrusted mode.
Also, users expect that <fieldset> to be enabled by default:
Currently
<fieldset>
and<label>
elements belong to unsafe part ofHTML5_Forms
module. When stripped ofform
andfor
attributes they are harmless. I think that hiding them behindHTML.Trusted
flag, just as other form elements (and scripts) are, is too drastic a measure.All safe elements:
<fieldset>
,<label>
and<progress>
should be extracted to a separate module (HTML5_SafeForms
?). The module should be guarded by config setting (%HTML.SafeForms
), allowing it to be enabled in untrusted mode.Also, users expect that
<fieldset>
to be enabled by default: