From 21e4e6166b9c37332a0fa1c0375a9edbc01a3f6e Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Tue, 14 Nov 2023 18:04:44 +0100 Subject: [PATCH] More review feedback. --- explainer.md | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/explainer.md b/explainer.md index 3bde63c..2e3e210 100644 --- a/explainer.md +++ b/explainer.md @@ -147,10 +147,11 @@ Document.parseHTML(example_tr); // A table row. All of these would have had identical results if the "unsafe" variants had been used. -### Parsing XML +### Parsing in XML documents Parsing follows HTML parsing rules, unlike `innerHTML`, where it depends on the document type: + ```js const element_xml = new DOMParser().parseFromString("
", "application/xhtml+xml").getElementsByTagName("div")[0]; const example_not_xml = "
bla"; @@ -171,6 +172,49 @@ element.setHTML(`
``` +Note that the context node might also be a script element. In this case adding +plain text to it creates new script content: + +```js +const sneaky = document.createElement("script"); +sneaky.setHTMLUnsafe("alert('Surprise!');"); +``` + +OPTION #1: + +The context node is not only observed when parsing. It is also takken into +account when sanitizing: + +```js +element.setHTML("alert('Surprise!');"); +//
alert('Surprise!');
+sneaky.setHTML("alert('Surprise!');"); +// . The text node has been removed, as in this context it +would have been script-y. +``` + +OPTION #2: + +While the context node is observed when parsing, it has no bearing on the +sanitization. Since a text node is not script-y by itself the safe version will +insert it. It's up to the developer to ensure this will not happen in unexpected +places. + +```js +sneaky.setHTML("alert('Surprise!');"); +// . Surprise occurs when inserted into a live document. +``` + +OPTION #3: + +The safe version maintains the contract to remove script-y content defined by +the platform. Since adding text to an existing script element would violate +this contract, the 'safe' versions will throw an exception: + +```js +sneaky.setHTML("alert('Surprise!');"); // Throws. sneaky will not be modified. +``` + ### Configuration Options: Basic use and namespaces The operation of the built-in sanitizer can be configured to suit your