Re: [whatwg/dom] Declarative Shadow DOM (#831)

> If we've already found a sanitizing library which has this XSS issue, I'm sure there are dozens if not hundreds of other code that has the same issue, and we would be introducing new XSS vulnerabilities in sites where such code is deployed.

So you are saying that sites that use XSS sanitizers will have vulnerabilities if they chance/add/let users add code?
Do I miss something or why do sanitizers not drop any unknown tag and their contents for security reasons? To me it looks like people are relying on insecure tools to circumvent XSS, if that is the case. Wrong?

Both, implemetation and adoption of declarative shadow dom will take a long time, many month to years, and until then santizater-vendors will have time to fix their santization (including the sanity of dropping elements from the dom, that their sanitizers do not understand). Right?


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-715477379

Received on Friday, 23 October 2020 17:34:59 UTC