|
|
|
|
|
|
by andrewstuart2
3466 days ago
|
|
|
Virtual DOM doesn't really have anything to do with preventing XSS. It's done in angular 1 as well. Really, it's about taint checking [1]. Distrust all sources of content by default that might have seen user input (or that you know have seen user input), and require explicit trust declarations from the developers to remove taints. When you're about to use the data (e.g. appending to the DOM), you simply check for tainted data and escape is for the context you're in. Most times in the browser, that just means escaping content that might be valid HTML, but there are probably other contexts that require escaping as well. [1]https://en.wikipedia.org/wiki/Taint_checking |
|
|