|
|
|
|
|
|
by spankalee
764 days ago
|
|
|
Luckily, for Lit specifically, the "escaping" is done by the browser by setting textContent, so the string literally never passes through the HTML parser. Any string is valid text content, and if you found a bug that permitted unsafe text to be parsed as HTML somehow, it would be a browser bug and a very, very serious one. But it'd be similar with with other template systems. If the interpolation should allow any string, there's really no validation to be done. |
|
|