|
|
|
|
|
|
by snek
2529 days ago
|
|
|
Your response makes it sound like this is intended more for cases where a site uses innerHTML and its too much of a burden to rewrite, so you allow only that innerHTML, but that allowed innerHTML is still susceptible to XSS, so what is the point? As a side note, having a header to disallow innerHTML and etc is definitely a good step, but the rest of this seems superfluous or even leading to a false sense of security. |
|
|