- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Thu, 22 Oct 2020 03:48:42 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 10:48:54 UTC
To my understanding, declarative shadow DOM might also affect server-side sanitizers that parse HTML. Server-side injection producing HTML with <template> node (which used to be secure because `<template>` was inert since its inception) can now cause XSS. Have you explored that? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714408135
Received on Thursday, 22 October 2020 10:48:54 UTC