Skip to content
This repository has been archived by the owner on May 29, 2019. It is now read-only.

strictTemplatePolicy and xss stuff #2647

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

strictTemplatePolicy and xss stuff #2647

wants to merge 4 commits into from

Conversation

ghost
Copy link

@ghost ghost commented Jul 24, 2018

@ghost ghost requested review from arthurevans and kevinpschaaf July 24, 2018 02:17

Developers using any web technology must take extreme care with APIs like [innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML) and [insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML) that directly manipulate DOM. If you use these APIs, you must guarantee that any HTML strings you pass to them are free from possibly malicious code. See the [MDN documentation on innerHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/innerHTML) for more info.

Polymer developers , an extra consideration applies to these APIs, in that we must also rule out the evaluation of untrusted custom element templates.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Eliminate "we" -- suggest maybe "Polymer developers must also guard against the evaluation of untrusted code in custom element templates."

@ghost
Copy link
Author

ghost commented Sep 18, 2018

Ready for another look, thanks @arthurevans. @kevinpschaaf LMK your thoughts.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants