From 2fc0f781ff1415f685d4dcba46a3e42a5a9487e2 Mon Sep 17 00:00:00 2001
From: Radu Cotescu <cotescu@adobe.com>
Date: Tue, 1 Aug 2017 11:32:16 +0200
Subject: [PATCH] Extended data-sly-attribute section

* added paragraph about the style and the event attributes
---
 SPECIFICATION.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/SPECIFICATION.md b/SPECIFICATION.md
index e7d70c5..18a92dc 100644
--- a/SPECIFICATION.md
+++ b/SPECIFICATION.md
@@ -892,6 +892,8 @@ The attribute name and content are automatically XSS-protected accordingly, unle
 <input type="number" name="quantity" min="${qttMin @ context='number'}" max="${qttMax @ context='number'}"/>
 ```
 
+Event handler attributes (`on*`) and the `style` attribute cannot be generated with `data-sly-attribute` due to the fact that none of the available display contexts can fully protect against XSS attacks given the range of values that these attributes can contain.
+
 ##### 2.2.3.1. Detailed Examples
 For all examples below, consider that following object is available in the context:
 ```javascript