Hacker News new | ask | show | jobs
by shoeboxam 3853 days ago
I think his concern is- since the security program would need to run on the attacker's computer, the attacker may simply opt not to use it, circumvent it. That being said, I don't see why it can't be used to sanitize requests to the server.
2 comments
Sacho 3853 days ago
Well, if you are worried about xss, that is a case of an attacker's code running on a victim's machine. If they process svgs through the lib before adding them to the dom, that would be one way to prevent the xss attack. This seems to be what DOMPurify are suggesting based on their documentation.
link
coldtea 3853 days ago
The main reason is that the server is more often than not NOT Javascript based.
link