so basically, i’m making my own tiny frontend for fun and learning nuxt stuff, and posts are plain html, but the wasteof api makes it xss proof so thats cool :)

<script>alert(1)</script>

(ignore this)

comments

hey!!! im doing that!!! /j (should probably announce mine though)

!!

(yeah lol)

you actually can post actual html, jeffalo’s be removes like 99% of tags and attributes though

how does the wasteof API make it xss-proof?

dompurify

the backend does that? I thought that was just the frontend.

both do

if it didn’t, we’d’ve had both of the following:

  1. xss attack

  2. funny cohost esque css crimes

afaik the frontend may just use v-html

since the backend does the purifying afaik