Add warning about lack of sanitization to HTML parsing methods

This adds a warning similar to the one for the explicitly unsafe HTML parsing methods, to DOMParser and document.write()/writeln().
whatwg · Apr 10, 2024 · a9b07fb · a9b07fb
1 parent f2089ab
commit a9b07fb
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/source b/source
@@ -112287,6 +112287,9 @@ document.body.appendChild(frame)</code></pre>
    </dd>
   </dl>
 
+  <p class="warning">This method performs no sanitization to remove potentially-dangerous elements
+  and attributes like <code>script</code> or <span>event handler content attributes</span>.</p>
+
   <div w-nodev>
 
   <p><code>Document</code> objects have an <dfn>ignore-destructive-writes counter</dfn>, which is
@@ -112369,6 +112372,9 @@ document.body.appendChild(frame)</code></pre>
    </dd>
   </dl>
 
+  <p class="warning">This method performs no sanitization to remove potentially-dangerous elements
+  and attributes like <code>script</code> or <span>event handler content attributes</span>.</p>
+
   <div w-nodev>
 
   <p>The <dfn method for="Document"><code
@@ -112432,6 +112438,9 @@ dictionary <dfn dictionary>GetHTMLOptions</dfn> {
   would be a standalone function. For parsing HTML, the modern alternative is <code
   data-x="dom-parseHTMLUnsafe">Document.parseHTMLUnsafe()</code>.</p>
 
+  <p class="warning">This method performs no sanitization to remove potentially-dangerous elements
+  and attributes like <code>script</code> or <span>event handler content attributes</span>.</p>
+
   <pre><code class="idl">[Exposed=Window]
 interface <dfn interface>DOMParser</dfn> {
   <span data-x="dom-DOMParser-constructor">constructor</span>();