- From: Ryosuke Niwa <notifications@github.com>
- Date: Thu, 29 Oct 2020 02:25:25 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 29 October 2020 09:25:37 UTC
> 1. I'm not sure there are no other concerns than XSS as [#831 (comment)](https://github.com/whatwg/dom/issues/831#issuecomment-717890389) seems to list some. If @hsivonen's [#831 (comment)](https://github.com/whatwg/dom/issues/831#issuecomment-717890389)'s second-to-last point is that we must support streaming then this feature is DOA. We're back to square one to where we were before the current iteration has started. We would object to having a version of this feature where streaming is supported on the basis that such a feature will likely to introduce new security bugs in the browser engine for years to come. The benefit-to-cost ratio is definitely in negative territory at that point. > I understand that (hence calling it a conflation of problems), I still don't think it needs a solution. If you are not stripping attributes you likely have other issues. I disagree. WebKit's copy-paste sanitization code does this exact thing of stripping *on* content attributes and a few elements but not all content attributes. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-718534647
Received on Thursday, 29 October 2020 09:25:37 UTC