- From: Justin Fagnani <notifications@github.com>
- Date: Tue, 14 Nov 2017 17:26:19 +0000 (UTC)
- To: w3c/webcomponents <webcomponents@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 14 November 2017 17:26:50 UTC
With the removal of `replaceHTML()`, and if `replace()` performs escaping like setting `textContent` the design of template system should be fairly secure (pending actual security reviews).
One place it could be better is by adding contextual auto-escaping to prevent user-provided values from executing script when used in dangerous attributes, like with:
```html
<a href="{{url}}">{{title}}</a>
```
```js
template.createInstance({
url: 'javascript:alert("hi")',
title: 'XSS',
});
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/711
Received on Tuesday, 14 November 2017 17:26:50 UTC