- From: Ryosuke Niwa <notifications@github.com>
- Date: Tue, 27 Oct 2020 02:59:59 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 27 October 2020 10:00:12 UTC
One terrible but a sure way to mitigate the server-side XSS risk is to require an attribute that starts with "on" to enable declarative Shadow DOM on a template element: e.g. `<template onshadowmode=closed>`. This is a pretty horrible idea but it's one way to solve it. I'm sure we can come up with a better idea. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717126214
Received on Tuesday, 27 October 2020 10:00:12 UTC