|
|
|
|
|
|
by Ndymium
129 days ago
|
|
|
Note that the API is split into XSS-safe and XSS-unsafe calls. The XSS-safe calls [0] have this noted for each of them (emphasis mine): > Then drop any elements and attributes that are not allowed by the sanitizer configuration, and any that are considered XSS-unsafe (even if allowed by the configuration) The XSS-unsafe functions are all named "unsafe". Although considering web programmers, maybe they should have been named "UnsafeDoNotUseOrYouWillBeFired". [0] https://developer.mozilla.org/en-US/docs/Web/API/HTML_Saniti... |
|
|