Closed mmndaniel closed 1 year ago
Great lead on this one. This happened for 2 unprofessional reasons on my end:
JSON.stringify
trick where its result is a string for trusted types but an object for actual nodes - which brings me to the next point:To fix this I had to find a way to tell trusted HTMLs apart from nodes in a safer way, for that I came up with #102
fixed #102
Essentially exploiting two things: a.
JSON.stringify
bevavior can be overridden withtoJSON
method (see MDN) b. This line excludes trusted HTMLs (perhaps because it assumes it was already handled by handleHTML?) by evaluating:typeof parse(stringify(node, replacer)) === 'string'
, which can be made to return true by utilizing a.