- From: Krzysztof Kotowicz <notifications@github.com>
- Date: Thu, 22 Oct 2020 09:11:53 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 October 2020 16:12:10 UTC
> even if people allow-list `<template>`, that should never make the sanitizer ignore the entire sub-tree, right? I.e. if I allow-list `<body`> does my entire document skip the sanitizer? `<template>` makes its whole subtree inert, which is why ignoring the subtree would not have caused XSS, at least directly - there might be application-specific gadgets that would import the "scripty" nodes from under the template. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714600412
Received on Thursday, 22 October 2020 16:12:10 UTC