- From: Ryosuke Niwa <notifications@github.com>
- Date: Tue, 27 Oct 2020 02:02:00 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/831/717092318@github.com>
> ### Server-side sanitizers simply must sanitize `<template>`s > There are browsers in depressingly common use today that don't support the `<template>` tag. https://caniuse.com/template IE11 doesn't support it, Opera Mini doesn't support it, and Safari 7 doesn't support it. Those appear to be the most popular legacy browsers in modern use that don't support `<template>`, but if you're designing a sanitizer, even if you "don't support IE11," it's not OK to simply assume that _any_ client you engage with will support `<template>`. This is true. > Therefore, for security purposes, it is not acceptable to skip sanitizing dangerous code like `<script>` and `onmousemove` attributes inside `<template>`. At the very least, that will pwn your IE11, Opera Mini, and Safari 7 users. This does not follow. > Since legacy browsers exist, it is simply incorrect for a server-side sanitizer to assume that `<template>` will necessarily be inert. Any sanitizer that assumes that is buggy/wrong _today._ That's not true. A given website may only support & serve content to "modern" web browsers that support template elements. Any sanitizer on such a website need not to worry about browsers that don't support template elements. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717092318
Received on Tuesday, 27 October 2020 09:02:16 UTC