|
|
|
|
|
|
by ricardobeat
2115 days ago
|
|
|
> it is still possible to inject area and map tags This is the critical oversight - what would be the reason to not use a whitelist instead, or even custom tags instead of plain HTML? Most of the existing libraries for sanitizing html work like that. |
|
|