@mathias but what if the attacker injects a "hidden div" with the same id?
-
-
-
@avlidienbrunn That’s why I have that disclaimer link at the bottom. This doesn’t absolve you from having to escape user-supplied content :) - 3 more replies
New conversation -
-
-
@mathias interesting post! I wonder if there’s a way to get this to be CSP compliant https://github.com/yahoo/express-state … -
@ericf@mathias AFAIK inline scripts *are* an option if you specify type="application/json" http://nmatatal.blogspot.co.nz/2013/01/removing-inline-javascript-for-csp.html … - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.