From d36b9af21aba75e4839093f29e0c62064b7cac71 Mon Sep 17 00:00:00 2001 From: Eric Cornelissen Date: Wed, 6 Nov 2024 17:17:59 +0100 Subject: [PATCH] typo --- domc_wiki/indicators/patterns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/domc_wiki/indicators/patterns.md b/domc_wiki/indicators/patterns.md index b336d27..baa65cf 100644 --- a/domc_wiki/indicators/patterns.md +++ b/domc_wiki/indicators/patterns.md @@ -51,4 +51,4 @@ Properties of `document` can always be overwritten by DOM Clobbering, even immed While robust sanitizers may remove [named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties), an alternative solution is to separate the namespace of variables defined by JavaScript code and named properties in user-generated markups. For example, the markdown to HTML converter of source code version control applications often prefix `id` and `name` attribute values of user-generated markup with a specific string. If you use [DOMPurify](https://cure53.de/purify) you can use the [`SANITIZE_NAMED_PROPS`](https://github.com/cure53/DOMPurify/pull/710) option to automatically namespace `id`s and `name`s. -Alternatively, one monitor runtime changes in the DOM tree via the [MutationObserver API](https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver), and prefix named properties of all dynamically inserted markups before adding them to the tree like [@weizman/shield](https://weizmangal.com/shield/) does. This provides some protections provided you can ensure it is run first, but you need to be careful when dynamically inserting HTML because it can temporarily cause clobbering. Also, some newer `