Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#2468 no innerHTML and document.write #2479

Merged
merged 2 commits into from
Dec 19, 2024
Merged

#2468 no innerHTML and document.write #2479

merged 2 commits into from
Dec 19, 2024

Conversation

elarlang
Copy link
Collaborator

This Pull Request relates to issue #2468

@elarlang elarlang linked an issue Dec 17, 2024 that may be closed by this pull request
clarify 50.6.2 #2468
Open
@tghosth tghosth marked this pull request as draft December 18, 2024 06:20
@randomstuff
Copy link
Contributor

[ADDED, SPLIT FROM 5.3.3] Verify that untrusted input must not be applied via innerHTML, document.write, or other properties or functions that render HTML. Instead, use createTextNode, textContent, and similar safe functions that do not render HTML and only render content as text.

What about when the user enters markdown or HTML (which is then filtered using some library). Does "filtered user input" count as "untrusted input"?

I would consider it is not allowed by this wording requirement but should be allowed. Should we add some provision for when the input has been properly filtered?

@elarlang elarlang marked this pull request as ready for review December 18, 2024 12:04
@elarlang
Copy link
Collaborator Author

[ADDED, SPLIT FROM 5.3.3] Verify that untrusted input must not be applied via innerHTML, document.write, or other properties or functions that render HTML. Instead, use createTextNode, textContent, and similar safe functions that do not render HTML and only render content as text.

What about when the user enters markdown or HTML (which is then filtered using some library). Does "filtered user input" count as "untrusted input"?

I would consider it is not allowed by this wording requirement but should be allowed. Should we add some provision for when the input has been properly filtered?

This is discussion about sanitization. See my comment here: #2468 (comment)

@elarlang elarlang merged commit b276080 into master Dec 19, 2024
6 checks passed
@elarlang elarlang deleted the elarlang-patch-2468 branch December 19, 2024 09:59
@elarlang
Copy link
Collaborator Author

@randomstuff - I merged the PR, if you have further some concerns or proposals, please write those to related issue and then we can re-open it (if needed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jmanico jmanico jmanico approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

clarify 50.6.2
3 participants
@elarlang @randomstuff @jmanico