- From: Justin Fagnani <notifications@github.com>
- Date: Thu, 22 Oct 2020 09:03:15 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 16:03:27 UTC
I want to point out that it's not just declarative shadow DOM that has this issue. Userland libraries that create DOM from `<template>`s (or other containers for that matter) often are sources of "gadget" vulnerabilities. Polymer had to add mitigations, and Vue's potential vulnerabilities this area have recently been reported on. It's probably a _good_ thing if we consolidate all potential gadget constructs into `<template>` so that sanitizers can handle them universally and protect against both built-in and userland template-stamping without needing custom per-framework sanitizers. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714595038
Received on Thursday, 22 October 2020 16:03:27 UTC