- From: Mike West <notifications@github.com>
- Date: Fri, 05 Feb 2016 07:20:35 -0800
- To: w3c/webcomponents <webcomponents@noreply.github.com>
Received on Friday, 5 February 2016 15:21:13 UTC
This is one of the few ways to directly execute script from `innerHTML` (other injection mechanisms require user input/events). I agree with @sicking that this won't prevent XSS, but I disagree that it's not meaningful. Anecdotal, Google folks tell me that `innerHTML` is significantly more likely to contain XSS vectors than `appendChild` or `document.write`. I'd like to close this hole by treating `<link>` in the same way that we treat `<script>`. +@annevk, how would you feel about adding the "already started" bit to a section of https://html.spec.whatwg.org/#parsing-main-inhead:already-started for `<link>`? It's only useful for imports at the moment, so... I have a patch up to make this change for Chrome, regardless: https://codereview.chromium.org/1670203002 --- Reply to this email directly or view it on GitHub: https://github.com/w3c/webcomponents/issues/193#issuecomment-180398060
Received on Friday, 5 February 2016 15:21:13 UTC