From a556353057c471c640f9272b68488e3bcfd83f18 Mon Sep 17 00:00:00 2001 From: Daniel Vogelheim Date: Tue, 16 Apr 2024 18:41:31 +0200 Subject: [PATCH] Review feedback. --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index b0e7760..07bb95a 100644 --- a/index.bs +++ b/index.bs @@ -858,7 +858,7 @@ new document. Therefore Sanitizer API is not directly affected by mutated XSS. If a developer were to retrieve a sanitized node tree as a string, e.g. via `.innerHTML`, and to then parse it again then mutated XSS may occur. -We recommend against this practice. If processing or passing of HTML as a +We discourage this practice. If processing or passing of HTML as a string should be necessary after all, then any string should be considered untrusted and should be sanitized (again) when inserting it into the DOM. In other words, a sanitized and then serialized HTML tree can no