Consider using a separate tag

[koto]

I understand what the advantages are for hooking into <template>, but please consider using a new tag for the shadow DOM.

Changing the semantics of <template> has a nasty side effect here, as so far anything under a <template> node was inert (e.g. there would be no script execution for <script> nodes, until the document fragment was manually moved to the main document - or Shadow DOM was attached). I imagine there are websites out there that started treating <template> tag as an inert container when sanitizing user-provided HTML.

Under this proposal, adding an attribute breaks that assumption, and the code starts executing immediately, potentially enabling an XSS flaw that was not present in the past.

[craigfrancis]

Is this when using document.createElement(’template’), or when <template> is used in the HTML document?

I was under the impression that the latter had a problem, as the user provided content could include </template><script ....

[mfreed7]

Thanks for the comment. The issue, as mentioned here to georges-gomes, is that for a new <shadowroot> tag, before all browsers understand that tag, all contained scripts and styles will be live on the page. That seems worse than adding an attribute to <template> and having that be live. In that case it’s under your control. In the “new element” case, old browsers just start executing code and applying styles. Would you agree?

[mfreed7]

I'm going to close this - please feel free to chime back in if you disagree with my comment above.