Should the values passed to toDOM of schema nodes/marks be escaped for XSS safety?

From what I see ProseMirror already safely encodes XSS attack vectors to whatever returned from toDOM() of schema nodes. Can I safely assume I don’t have to encode HTML chars before it comes to toDOM()?

Thank you.

Yes, you can assume that they are treated safely.

1 Like