- From: Andrea Giammarchi <notifications@github.com>
- Date: Sat, 26 Jun 2021 00:43:06 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 26 June 2021 07:43:25 UTC
I would argue this is a road to more XSS issues than we have already.
There are many libraries that allows you to create nodes via template literal tags, ensuring XSS safety, better attributes handling, without providing another footgun on the client side API.
```js
import {html, svg} from "uhtml";
let img = html.node`<img />`;
```
you can also create SVG which looks not part of this proposal.
HTML injections are also going to be flagged as untrusted code, so the least ways we have to inject raw strings as HTML, the better, imho.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/996#issuecomment-868963461
Received on Saturday, 26 June 2021 07:43:25 UTC