Y
Hacker News
new
|
ask
|
show
|
jobs
by
lukax
124 days ago
Wow, XSS just waiting to happen.
<h3>${this.getAttribute('title')}</h3>
2 comments
benatkin
124 days ago
It looks similar to Lit code, but it's not Lit, so yes, it is XSS waiting to happen all right. If it were Lit it would be escaped. It would start with html` which evaluates to a TemplateResult and the render() function only accepts a TemplateResult.
link
teg4n_
124 days ago
How? If the attribute is not trusted doesn’t that mean the dom is already compromised?
link