wrec 0.1.4 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +5 -4
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -166,12 +166,13 @@ static formAssociated = true;
|
|
|
166
166
|
|
|
167
167
|
Wrec uses the JavaScript `eval` function to evaluate JavaScript expressions
|
|
168
168
|
that are placed in attribute values and the text content of elements.
|
|
169
|
-
This has security implications
|
|
170
|
-
|
|
169
|
+
This has security implications if those expressions
|
|
170
|
+
can come from untrusted sources, so it is best avoid
|
|
171
|
+
creating web components that use untrusted content in those ways.
|
|
171
172
|
|
|
172
|
-
Perhaps the most dangerous thing
|
|
173
|
+
Perhaps the most dangerous thing the use of `eval` allows
|
|
173
174
|
is sending HTTP requests to other servers.
|
|
174
|
-
Such requests could contain data from your web app
|
|
175
|
+
Such requests could contain data scraped from your web app
|
|
175
176
|
in order to share it with unscrupulous sites.
|
|
176
177
|
|
|
177
178
|
The easiest way to prevent this is to add a
|