template + innerHTML VS DOMParser for fragment
JounQin opened this issue · 9 comments
Initial checklist
- I read the support docs
- I read the contributing guide
- I agree to follow the code of conduct
- I searched issues and couldn’t find anything (or linked relevant results below)
Problem
Which solution should be preferred?
Solution
Alternatives
N/A
Hey, long time no see! 👋
I think the method used here in hast-util-from-html-isomorphic is relatively elegant. As far as I can tell it works fine. I would love to hear about cases where the other method is preferred though.
I believe the linked issue explains more. Using a template in the current document sends HTTP requests: rehypejs/rehype-dom#18.
I am seeing a network request when using the code from https://stackoverflow.com/questions/12747350/using-documentfragment-to-parse-html-without-sending-http-requests (linked from rehypejs/rehype-dom#18), but not when using a <template> tag as is used in the current approach.
Hmm, funky. Might be the template tag?
Yes, I think so.
This HTML document triggers a request:
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
<img src="./image.png" />
</body>
</html>This one doesn’t
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
</head>
<body>
<template>
<img src="./image.png" />
</template>
</body>
</html>Closing, seems fine!
Hi! This was closed. Team: If this was fixed, please add phase/solved. Otherwise, please add one of the no/* labels.
Sure, I missed this issue for a long time.
I'm not for sure will template + innerHTML be XSSed? But I think DOMParser will never be?