- From: Andrea Giammarchi <notifications@github.com>
- Date: Tue, 27 Oct 2020 02:22:26 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 27 October 2020 09:22:39 UTC
> Therefore, for security purposes, it is not acceptable to skip sanitizing dangerous code like `<script>` and onmousemove attributes inside `<template>`. At the very least, that will pwn your IE11, Opera Mini, and Safari 7 users.
FWIW in [uce-template](https://github.com/WebReflection/uce-template#readme), which already does pretty much everything discussed in here regarding SSR, I've solved IE11 (and other legacy) `<script>` issue by simply using/requiring `type="module"`, which is also not supported by legacy browsers, including IE11, and if there is a `template {display:none}` on top no `mousemove` or other events can happen.
Requiring a `display:none` could be also used as inline `style` and it looks like a very easy workaround for legacy only, whenever legacy will be even a desired target once this new spec ships cross browser and is widely adopted.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/831#issuecomment-717104273
Received on Tuesday, 27 October 2020 09:22:39 UTC