top | item 43294052

(no title)

kflgkans | 11 months ago

> That looks like more XSS vectors.

Could you elaborate on that? I don't understand how this leads to more XSS vectors.

discuss

karol|11 months ago

If these are proposals to use bindings between html attributes and calling JS methods, then it's enough to inject HTML, not JS, to start executing JS.

Keithamus|11 months ago

It’s not executing JS. The names map to JS methods but both the HTML and JS call into C++ (or rust or swift whatever the browser is written in). Arbitrary JS code execution cannot occur. Of course if you’re ingesting user generated content you should not allow these attributes on buttons (but for proper security you should already have an allow-list of tags and attributes on any user generated content).