- From: Cure53 <notifications@github.com>
- Date: Thu, 22 Oct 2020 00:10:39 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 07:10:52 UTC
> To emphasize that, if you're using DOMPurify 2.0.16, released Sep 18 2020 (33 days ago), then you missed DOMPurify 2.0.17 released Sep 20 (31 days ago), and you're now vulnerable. > > It isn't safe to use old versions of DOMPurify; this declarative shadow DOM doesn't fundamentally change that. I fully agree, as a sanitizer library we shouldn't be in the way of new features being added, even if they create new attack surface. Our job is to understand the existing attack surface as good as possible and react to it. Usually we don't get any warnings either but develop based on this reactive approach just as many other security tools as well. In this situation, we had a chance to act before the attack surface was even expanded, which is amazing and not the norm :D If project maintainers decide not to update their sanitizer library or have an eye on the development (releases, tweets, mailing list, public billboards ... okay kidding) then, well, they will have an XSS and let's hope someone catches it. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714282410
Received on Thursday, 22 October 2020 07:10:52 UTC