template + innerHTML VS DOMParser for fragment

[JounQin]

Initial checklist

• [X] I read the support docs
• [X] I read the contributing guide
• [X] I agree to follow the code of conduct
• [X] I searched issues and couldn’t find anything (or linked relevant results below)

Problem

Which solution should be preferred?

Solution

https://github.com/rehypejs/rehype-dom/pull/19

Alternatives

N/A

[remcohaszing]

Hey, long time no see! :wave:

I think the method used here in hast-util-from-html-isomorphic is relatively elegant. As far as I can tell it works fine. I would love to hear about cases where the other method is preferred though.

[wooorm]

I believe the linked issue explains more. Using a template in the current document sends HTTP requests: https://github.com/rehypejs/rehype-dom/issues/18.

[remcohaszing]

I am seeing a network request when using the code from https://stackoverflow.com/questions/12747350/using-documentfragment-to-parse-html-without-sending-http-requests (linked from https://github.com/rehypejs/rehype-dom/issues/18), but not when using a <template> tag as is used in the current approach.

[wooorm]

Hmm, funky. Might be the template tag?

[remcohaszing]

Yes, I think so.

This HTML document triggers a request:

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <img src="./image.png" />
  </body>
</html>

This one doesn’t

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <template>
      <img src="./image.png" />
    </template>
  </body>
</html>

[wooorm]

@JounQin Then I think this can be closed?

[wooorm]

Closing, seems fine!

[github-actions[bot]]

Hi! This was closed. Team: If this was fixed, please add phase/solved. Otherwise, please add one of the no/* labels.

[JounQin]

Sure, I missed this issue for a long time.

I'm not for sure will template + innerHTML be XSSed? But I think DOMParser will never be?