You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This was raised in a chrome issue where someone pointed out that you can create a Comment in script which contains a -->, put other things after the -->, and reassign document.body.innerHTML = document.body.innerHTML which will make everything after the --> get parsed as actual HTML instead of comments
It's generally true that you can create node trees that cannot be serialized or that can be serialized and then when parsed result in a different tree. This is not a unique ability of comments.
It's generally true that you can create node trees that cannot be serialized or that can be serialized and then when parsed result in a different tree. This is not a unique ability of comments.
With this in mind, I think it's OK to leave things as is.
In the HTML spec, it says that comments must not contain
-->
among other things: https://html.spec.whatwg.org/multipage/syntax.html#commentsIn the DOM spec, it says that you can create a
Comment
with any text, no restrictions: https://dom.spec.whatwg.org/#interface-commentThis was raised in a chrome issue where someone pointed out that you can create a
Comment
in script which contains a-->
, put other things after the-->
, and reassigndocument.body.innerHTML = document.body.innerHTML
which will make everything after the-->
get parsed as actual HTML instead of comments@mfreed7
The text was updated successfully, but these errors were encountered: