Re: [whatwg/dom] Declarative Shadow DOM (#831)

> Even if all major sanitizer libraries did eventually support this, it's still problematic that there are existing sanitizers that may end up with XSS. We may need to pursue some kind of opt-in mechanism for this so that the existing content that's not actively maintained doesn't get a new XSS vulnerability.

I understand your concern. Do you have a recommendation for a way to opt-in to declarative shadow dom that doesn’t come in-band with the (dirty) HTML being sanitized?

Overall, with or without declarative shadow dom, using “not actively maintained” sanitizer libraries is already a major security concern. New XSS exploits are discovered every day. I don’t think we should be handcuffed for all future Web features by the oldest sanitizer library currently in use.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-714252727

Received on Thursday, 22 October 2020 06:06:58 UTC