|
|
|
|
|
|
by leonardopainter
1577 days ago
|
|
|
Using template literals to represent html is a security issue. If the state comes from the user, they can add script tags into the html. People try to solve this with tagged templates, but then if you forget the tag, you have a security issue again. Lit checks for this, but the fact that it has to check means it is less secure than not using tagged templates. There are libraries on github for creating sql using tagged templates which have the same security issue. The problem is that if your function works with both tagged templates and plain strings, when you forget to add the tag, you will never know. |
|
|
And how is it a problem? A rendering engine would set the html of some element to the html I think?
This ...
...does not execute the script.