[lazide]

It’s basic self defense. Who runs around the web in 2026 allowing random JS? Might as well be licking seats on the subway.

[Telaneo]

> Who runs around the web in 2026 allowing random JS?

Within a rounding error, 100% of people on the internet.

[lazide]

It’s a lot higher pct when you count vpns with JS filtering, ad blockers, etc.

[Telaneo]

Even then, they're using disallow lists. If you go on a random web page with novel JS, then that'll still be run.

The only people working of allow lists are the people running NoScript and the like, and those truly aren't running random JS. But those people are a rounding error compared to the greater internet.

[lmm]

If you trust your browser it's fine, and if you don't then both CSS and SVG are significantly more risky.

[margalabargala]

This isn't true at all.

Anything SVG does maliciously, it does by containing JavaScript, so SVG's worst case is a subset of JS's.

[fc417fc802]

Remind me again what the ratio of browser sandbox escapes coupled with full RCE is between JS, CSS, and SVG?

[sysguest]

> then both CSS and SVG are significantly more risky.

how???