- From: Boris Zbarsky <notifications@github.com>
- Date: Wed, 12 Feb 2020 22:55:29 -0800
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 13 February 2020 06:55:42 UTC
> This would be a "parser-only" feature, and adding the shadowroot attribute to an existing `<template>` would have no effect. Attribute injection, which is what this is responding to, means injecting them on the parser level. So the fact that this is a parse-only feature is not a protection against attribute injection. Specifically, if a page has a `<template>` and you manage to get `<script>` inside it, right now that is safe. If you can also get this new attribute on the `<template>`, that is no longer safe... -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-585580174
Received on Thursday, 13 February 2020 06:55:42 UTC