Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Traverse the HTML fragment and remove elements as configured.

Well this is clearly wrong isn't it? You need a whitelist of elements, not a blacklist. That lesson is at least 2 decades old.





I mean... "as configured" can me either an allow OR a denylist. That sentence doesn't really prescribe doing it one way or the other..? You have to parse the denylisted elements because they will affect the rest of the parse, so you _have_ to remove them afterwards in the general case.

reply


Looks like it supports both actually: https://wicg.github.io/sanitizer-api/#sanitization

That's better than only supporting `removeElements`, but it really shouldn't support it at all.

reply




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: