|
|
|
|
|
|
by systoll
232 days ago
|
|
|
A script tag would be able to call setHTMLUnsafe, bypassing whatever sanitation you configured. I’d’ve made it a runtime error to call setHTML with an unsafe config, but Javascript tends toward implicit reinterpretation rather than erroring-out. |
|
|