@aral it'd really only matter if you were doing something like allowing user-submitted content within your stylesheet. As soon as you jump into a variable in the htm template string, you're relying on vhtml's entity encoding to ensure that variable isn't interpreted as HTML. Works a bit differently than VDOM, where the template is never parsed or assigned as HTML.
Notices by Jason Miller 🦊⚛️ (developit@mastodon.social)
-
Jason Miller 🦊⚛️ (developit@mastodon.social)'s status on Friday, 03-Mar-2023 16:19:09 JST 
Jason Miller 🦊⚛️
-
Jason Miller 🦊⚛️ (developit@mastodon.social)'s status on Friday, 03-Mar-2023 02:06:36 JST
Jason Miller 🦊⚛️
@aral actually I think we could fix this in VHTML if you wanted - it's currently doing unnecessary entity encoding for text content. It should only be encoding `<`. The boolean prop thing it just something I forgot to add.
-
Jason Miller 🦊⚛️ (developit@mastodon.social)'s status on Friday, 03-Mar-2023 02:05:44 JST
Jason Miller 🦊⚛️
@aral careful with that sanitization bypass:
h('style', {}, '</style><script>alert("hi")</script>')
-
Jason Miller 🦊⚛️ (developit@mastodon.social)'s status on Tuesday, 14-Feb-2023 22:13:37 JST
Jason Miller 🦊⚛️
@aral oooh this looks much easier to package than mkcert...
All 076萌SNS content and data are available under the