- From: Mason Freed <notifications@github.com>
- Date: Mon, 28 Feb 2022 14:04:01 -0800
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/849/1054707121@github.com>
So I'm generally supportive of the second, "maximally lenient" approach. It makes the spec, the implementation, and the developer understanding of this behavior straightforward, which is good for performance, bugs, and happiness. Except I do worry about this downside:
> The downside is that this allows more cases where DOM APIs can produce unparseable HTML. I.e., currently you can produce HTML which does not survive a parse-serialize roundtrip using something like `document.createElement("_a")`. That is kind of sad. This more-lenient version would expand the number of cases where that's possible, to include things like `document.createElement("$a")`. Whereas the version in [#849 (comment)](https://github.com/whatwg/dom/issues/849#issuecomment-1007541209) would disallow `$a` (while continuing to allow `_a`).
>
> Additionally, if we're giving up on parse-serialize roundtrips anyway, it's not clear whether disallowing tab, LF, CR, FF, space, /, >, NULL is important either! We could just allow any string...
My concern isn't so much that it'll allow non-roundtrippable DOM, but more that this might introduce mXSS type security concerns. For example, I'm quite sure we don't want to ever allow `>`, for this specific reason. But there might be other characters that render this pattern mXSS-dangerous?
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/dom/issues/849#issuecomment-1054707121
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/dom/issues/849/1054707121@github.com>
Received on Monday, 28 February 2022 22:04:13 UTC