- From: Mason Freed <notifications@github.com>
- Date: Thu, 22 Oct 2020 08:55:51 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 15:56:03 UTC
> This also affects non-JS based server side sanitizers. There is no DOM on server side, though node programs sometimes emulate it. My concern is that if there is HTML response that contains a user-controlled `<template>` tag (which might be the case for existing sanitizers that pass through `<template>`s due to their inertness), now this results in an XSS. Right, I agree that this might be a concern. But again, I would be really surprised if many sanitizer libraries just ignored entire subtrees of any kind. That is just asking for a bypass. I just tried [js-xss](https://jsxss.com/en/try.html) and it doesn't even allow un-escaped `<template>`, let alone the sub-tree. I couldn't find an online tester for sanitize-html. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714590352
Received on Thursday, 22 October 2020 15:56:03 UTC