|
|
|
|
|
|
by crote
186 days ago
|
|
|
> Are there any examples where the first approach (sanitize to string and set inner html) is actually dangerous? The article links to [0], which has some examples of instances in which HTML parsing is context-sensitive. The exact same string being put into a <div> might be totally fine, while putting it inside a <style> results in XSS. [0]: https://www.sonarsource.com/blog/mxss-the-vulnerability-hidi... |
|
|