Comment by lukax 6 days ago Wow, XSS just waiting to happen. <h3>${this.getAttribute('title')}</h3> 2 comments lukax Reply benatkin 6 days ago It looks similar to Lit code, but it's not Lit, so yes, it is XSS waiting to happen all right. If it were Lit it would be escaped. It would start with html` which evaluates to a TemplateResult and the render() function only accepts a TemplateResult. teg4n_ 6 days ago How? If the attribute is not trusted doesn’t that mean the dom is already compromised?
benatkin 6 days ago It looks similar to Lit code, but it's not Lit, so yes, it is XSS waiting to happen all right. If it were Lit it would be escaped. It would start with html` which evaluates to a TemplateResult and the render() function only accepts a TemplateResult.
teg4n_ 6 days ago How? If the attribute is not trusted doesn’t that mean the dom is already compromised?
It looks similar to Lit code, but it's not Lit, so yes, it is XSS waiting to happen all right. If it were Lit it would be escaped. It would start with html` which evaluates to a TemplateResult and the render() function only accepts a TemplateResult.
How? If the attribute is not trusted doesn’t that mean the dom is already compromised?