Hacker News new | past | comments | ask | show | jobs | submit login

That's exactly what XHTML does, in XHTML document

    sample = `<form><math><mtext></form><form><mglyph><style></math><img src onerror=alert(1)>`
    fragment = DOMPurify.sanitize(sample, {RETURN_DOM_FRAGMENT: true})
    body = (new XMLSerializer).serializeToString(fragment)
    //...<style>&lt;/math&gt;&lt;img src onerror=alert(1)&gt;</style>...

    div.innerHTML = body
    div.append(fragment)
    iframe.srcdoc = body
It renders nice

    </math><img src onerror=alert(1)>



Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: