- From: Mason Freed <notifications@github.com>
- Date: Thu, 22 Oct 2020 09:03:16 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 16:03:28 UTC
> The problem is that they might have a safe default. But then people allow-list `<template>` with no harm in mind, unaware of the issue, and then they get XSS. But again here - even if people allow-list `<template>`, that should **never** make the sanitizer ignore the entire sub-tree, right? I.e. if I allow-list `<body>` does my entire document skip the sanitizer? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714595041
Received on Thursday, 22 October 2020 16:03:28 UTC