- From: Mason Freed <notifications@github.com>
- Date: Thu, 22 May 2025 11:56:03 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 May 2025 18:56:07 UTC
mfreed7 left a comment (whatwg/dom#1079) > * This does not disallow lone surrogates, the Unicode replacement character U+FFFD, single quotes, or < in any position, because the HTML parser allows introducing those already and it seems nicer to align. As I was reviewing a Chromium CL that goes along with this PR, I became more worried about allowing `<` in a lot of places. This comment mentions that this was discussed and concluded - could you point me to that discussion? I'd like to (re-)read it. My general concern is that allowing `<` would seem to cause trouble for things that are scanning for dangerous strings. E.g. `<<script>` is now an element with tagname `<script`. Won't this potentially create bad situations somewhere? E.g. sanitizers? I can't immediately put my finger on the exact exploit, but it certainly feels like there must be one in there somewhere... -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/pull/1079#issuecomment-2902252834 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/dom/pull/1079/c2902252834@github.com>
Received on Thursday, 22 May 2025 18:56:07 UTC