|
|
|
|
|
|
by myfonj
435 days ago
|
|
|
I am surprised there is no policy that would allow inline event handlers set in the initial payload (or stuff emitted by document.write), but neuter any done after initial render by `….setAttribute('on…', …)`. That would keep "static form" helpers still functional, but disable (malicious) runtime templating. |
|
|