- From: Cure53 <notifications@github.com>
- Date: Thu, 22 Oct 2020 09:07:10 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 16:07:22 UTC
> > The problem is that they might have a safe default. But then people allow-list `<template>` with no harm in mind, unaware of the issue, and then they get XSS. > > But again here - even if people allow-list `<template>`, that should **never** make the sanitizer ignore the entire sub-tree, right? I.e. if I allow-list `<body>` does my entire document skip the sanitizer? Of course :D But remember, our problem was that the sanitizer didn't see the sub-tree (because it was a closed shadowroot) and hence was bypassable. In the eyes of the browser/the sanitizer, it was a text node. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714597409
Received on Thursday, 22 October 2020 16:07:22 UTC