so basically, i’m making my own tiny frontend for fun and learning nuxt stuff, and posts are plain html, but the wasteof api makes it xss proof so thats cool :)

<script>alert(1)</script>

(ignore this)

comments (single view)

dompurify

the backend does that? I thought that was just the frontend.

both do

if it didn’t, we’d’ve had both of the following:

  1. xss attack

  2. funny cohost esque css crimes

afaik the frontend may just use v-html

since the backend does the purifying afaik

View all comments