Re: [whatwg/dom] Declarative Shadow DOM (#831)

> Should we maybe step back, look at the root cause of the bypass and then see how this might affect other sanitizers as well and how we can prevent it?

In case we want to do that indeed, here is a quick wrap-up about what the core problem was (short form of what was already [mentioned here](https://github.com/whatwg/dom/issues/831#issuecomment-716260127)):

Ours as well as likely any other DOM-based sanitizer could not sanitize the content of the closed shadowroot because _it didn't see it_. 

The browser didn't parse, hence produced a text node instead of an element. Had the browser produced an _element_, we would not have had any bypasses and the whole discussion about sanitizer would likely be non-existent. We might want to think about whether it makes sense for closed shadowroots to be exposed in the DOM/to the sanitizer as text nodes.

Things that were not contributing to this being a bypass:

* Sanitizer not sanitizing template elements
* Some browsers being old
* This being a new feature like HTML imports, almost no sane sanitizer was bypassed by that

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-717058025

Received on Tuesday, 27 October 2020 07:55:52 UTC