From what I see ProseMirror already safely encodes XSS attack vectors to whatever returned from toDOM() of schema nodes. Can I safely assume I don’t have to encode HTML chars before it comes to toDOM()?
Thank you.
From what I see ProseMirror already safely encodes XSS attack vectors to whatever returned from toDOM() of schema nodes. Can I safely assume I don’t have to encode HTML chars before it comes to toDOM()?
Thank you.
Yes, you can assume that they are treated safely.