Closed JounQin closed 1 year ago
Hey, long time no see! :wave:
I think the method used here in hast-util-from-html-isomorphic
is relatively elegant. As far as I can tell it works fine. I would love to hear about cases where the other method is preferred though.
I believe the linked issue explains more. Using a template in the current document sends HTTP requests: https://github.com/rehypejs/rehype-dom/issues/18.
I am seeing a network request when using the code from https://stackoverflow.com/questions/12747350/using-documentfragment-to-parse-html-without-sending-http-requests (linked from https://github.com/rehypejs/rehype-dom/issues/18), but not when using a <template>
tag as is used in the current approach.
Hmm, funky. Might be the template tag?
Yes, I think so.
This HTML document triggers a request:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
<img src="./image.png" />
</body>
</html>
This one doesn’t
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
<template>
<img src="./image.png" />
</template>
</body>
</html>
@JounQin Then I think this can be closed?
Closing, seems fine!
Hi! This was closed. Team: If this was fixed, please add phase/solved
. Otherwise, please add one of the no/*
labels.
Sure, I missed this issue for a long time.
I'm not for sure will template
+ innerHTML
be XSSed? But I think DOMParser
will never be?
Initial checklist
Problem
Which solution should be preferred?
Solution
https://github.com/rehypejs/rehype-dom/pull/19
Alternatives
N/A