If I got a Bitcoin every time some websec folk started a Twitterstorm bashing CSP without proposing a viable alternative, I would be rich.
-
-
browser can do context-aware escaping, and converting existing innerHTML users to this seems doable
-
you mean manually or automatically converting?
- 3 more replies
New conversation -
-
-
(I mostly meant this as "IMO this is how the API should look to make it easy to understand+use")
-
alternative: e.setInnerHTML("<b>$1</b>", hi) where the string is compile-time constant or a safe type
- 6 more replies
New conversation -
-
-
extra bonus: ability to mix the template method with DOM APIs or so
-
div.setInnerHTML`<table>${list.map(e=>document.nodeFromTemplate`<td>${e}</td>`)}</table>`
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.