- From: Ryosuke Niwa <notifications@github.com>
- Date: Thu, 22 Oct 2020 00:15:04 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 07:15:18 UTC
> > Even if all major sanitizer libraries did eventually support this, it's still problematic that there are existing sanitizers that may end up with XSS. We may need to pursue some kind of opt-in mechanism for this so that the existing content that's not actively maintained doesn't get a new XSS vulnerability. > > I understand your concern. Do you have a recommendation for a way to opt-in to declarative shadow dom that doesn’t come in-band with the (dirty) HTML being sanitized? Not off the top of my head. I don't think it's easy to add one without some kind of new HTML mode and/or not allowing to appear anywhere template can appear. This is a tricky issue I'd say. One way to mitigate this issue is to punt the parser behavior and just go with `shadow` element. > I don’t think we should be handcuffed for all future Web features by the oldest sanitizer library currently in use. We're already there given we're using template element partially due to the XSS concern associated with the parser behavior change. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714284849
Received on Thursday, 22 October 2020 07:15:18 UTC