- From: inoas <notifications@github.com>
- Date: Tue, 27 Oct 2020 02:16:13 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 27 October 2020 09:16:26 UTC
> That's not true. A given website may only support & serve content to "modern" web browsers that support template elements. Any sanitizer on such a website need not to worry about browsers that don't support template elements. This is false. User agent spoofing is reality. Also client-side-only XSS-sanitization is an insecure-by-design anti-pattern. The discussion here shows why. You should not make assumptions about what the agent can or cannot do. You don't know. Also the IE11/Safari7 examples given do not matter. Apple has dropped user security concerns for Safari 7. The last update is more than 5 years old, which proofs that point: https://support.apple.com/en-us/HT205033 - Microsoft hasn't updated Internet Explorer 11 for more than 1 year. It is entirely at the companies and/or users fault. As for the companies a sane security default would have been to ship an auto-uninstaller as part of the last patches of Obsoleteware. Even Adobe managed to do that with Flash. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717100541
Received on Tuesday, 27 October 2020 09:16:26 UTC