- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Thu, 22 Oct 2020 08:41:02 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 15:41:14 UTC
This also affects non-JS based server side sanitizers. There is no DOM on server side, though node programs sometimes emulate it. My concern is that if there is HTML response that contains a user-controlled `<template>` tag (which might be the case for existing sanitizers that pass through `<template>`s due to their inertness), now this results in an XSS. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714581234
Received on Thursday, 22 October 2020 15:41:14 UTC