- From: Mason Freed <notifications@github.com>
- Date: Wed, 21 Oct 2020 10:15:16 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 21 October 2020 17:15:29 UTC
One issue has been brought to my attention (thanks @neilj!): there is the potential for a sanitizer bypass using declarative Shadow DOM. I've written up the [details of the issue](https://github.com/mfreed7/declarative-shadow-dom/blob/master/README.md#potential-html-sanitizer-bypass), but the TL/DR is that sanitizers that do **all three of these** are at risk: 1. Use the browser's parser (e.g. through DOMParser, innerHTML, etc.), 2. Do not have built-in understanding of declarative Shadow DOM, and 3. (Importantly) return live DOM rather than sanitized HTML. I've been reaching out to sanitizer libraries to raise awareness of this issue, and thanks to @cure53, [DOMPurify has already released v2.2.0](https://twitter.com/cure53berlin/status/1318818166303281153) which should mitigate this issue. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-713726883
Received on Wednesday, 21 October 2020 17:15:29 UTC