|
|
|
|
|
|
by AgentME
3529 days ago
|
|
|
>either the website has to be sanitized/projected into a harmless dom abstraction Should Firefox contain code to recognize text that looks like Angular templates and then break it somehow? That'd be extremely specific. Eval isn't an inherently unsafe feature, and it doesn't have a monopoly on insecurity: Angular doesn't even require eval. It can run without eval in a CSP-supporting mode that's equally vulnerable. |
|
|