- From: Dan Fabulich <notifications@github.com>
- Date: Thu, 29 Oct 2020 02:40:22 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 29 October 2020 09:40:36 UTC
I just realized a flaw in my `<script type="shadowroot">` idea: sanitizers need to sanitize styles, too. Otherwise, attacker-controlled HTML could declare a full-screen style `height: 100%; width: 100%; left: 0; top: 0; position: fixed;` and effectively takeover the page, even without script. (Is it considered an "XSS" attack when it doesn't use script?) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-718553633
Received on Thursday, 29 October 2020 09:40:36 UTC