- From: inoas <notifications@github.com>
- Date: Mon, 26 Oct 2020 05:44:45 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 26 October 2020 12:44:58 UTC
> We probably need to make DOMParser and other DOM API to parse HTML not handle declarative Shadow DOM by default. 1. So @rniwa you supplied an idea how to deal with browser based sanitizers[^1] that @mfreed7 pointed out. Would that work for you @mfreed7 2. @rniwa The server side sanitizer issue can be easily solved by adding an HTTP header/HTML head meta tag to make the browser opt-into the feature. Thus as @mfreed7 pointed out we cannot be responsible for santizers and programmers/administrators are in charge of sanitization if they add that flag. They would not add the flag without using the feature anyway. Given adoption time of new browser features, sanitizers can adopt TODAY and users are save tomorrow. If they don't adopt they are not worth their name and should be treated as malware. [^1] Who in their sane mind relies on client/browser side sanitization, _alone_? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-716522206
Received on Monday, 26 October 2020 12:44:58 UTC