- From: inoas <notifications@github.com>
- Date: Tue, 27 Oct 2020 12:44:26 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 27 October 2020 19:44:41 UTC
> @mfreed7 Just as FYI, arguing that this doesn't matter isn't a winning strategy in any argument, really. If you're going to keep pushing this discussion in that direction, I'm not certain that we'd ever reach a consensus here. @rniwa maybe to reach a consensus there needs to be the attitute of constructivism over denial. You have been asked before: https://github.com/whatwg/dom/issues/831#issuecomment-717466622 As far as I have understood client side XSS would not be an issue for patched sanitizers like the major player DOMPurify is already today. If server side XSS is the issue I still don't understand where the issue lies with a custom header/html meta element to opt-into a potentially dangerous feature (dangerous because the server side XSS sanitizers are not strict in the real world and treat unknown elements as text instead of a threat, which is what they should do). @rniwa So can this go anywhere on your watch, and if, how? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-717491837
Received on Tuesday, 27 October 2020 19:44:41 UTC