Remix clone Hacker News

new | show | ask | jobs Github

	▲	plant-ian 5 days ago
		Inline handlers could execute trusted code without user input but in a way that was unintended like this button that hijacks a method of a trusted library and disguises it behind a like button: `<button onclick="trustedLib.confirmDeleteAccount()">Like</button>` This should be sanitized when the button html is injected into the DOM but CSP provides complementary protection, [1], if sanitizing fails. [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP... edited: tried to fix formatting