Skip to content

Instantly share code, notes, and snippets.

View evilpie's full-sized avatar

Tom Schuster evilpie

122 followers · 11 following
View GitHub Profile
@evilpie
evilpie / safe-default-configuration.md
Created February 23, 2026 16:49

Default configuration

The Sanitizer API's default configuration defines which HTML, SVG, and MathML elements and attributes are kept when sanitizing content. Comments and data-* attributes are removed by default.

Global attributes

The following attributes are allowed on all elements in the default configuration:

  • alignment-baseline
  • baseline-shift
@evilpie
evilpie / integrity.md
Last active September 23, 2025 16:51
Support for (script) integrity on the web
Description Example Can have integrity metadata [^1] Content-Security-Policy support for hashes Integrity-Policy support [^2]
External script <script src=http://> Yes (integrity attribute) Yes Yes
Inline script <script>alert("hello world");</script> No [^3] Yes No
Event handlers onclick=alert(1) No Yes (with 'unsafe-hashes') No
javascript: protocol javascript:alert(2) No Yes (with 'unsafe-hashes') No
Static import import foo from "/bar.js" Yes ("importmap") Yes Yes
Dynamic import import("/script.js") Yes ("importmap") Yes Yes
Eval eval("alert('boo');")
new Function() ...		 No No [^4] No
WebAssembly No
@evilpie
evilpie / ruffle-synthetic-key.html
Last active February 23, 2026 19:55
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title></title>
</head>
<body>
<div>
@evilpie
evilpie / test.html
Created January 16, 2022 09:55
Test case showing read fulfillment after pipeTo shutdown
<!doctype html>
<html>
<body>
<script>
var abortController = new AbortController();
let i = 0;
let aborted = false;
var rs = new ReadableStream({
@evilpie
evilpie / gist:a377535df0914b4db7a71326f39bb680
Created January 13, 2022 19:30
┌──────────────┐ ┌──────────────┐
│Closed promise├───┐ ┌──────────┤Closed promise│
└──┬───────────┘ │ │ └──────────────┘
│ NativePromiseHandler ▲
│ │ │ │
│ ▼ ▼ │
┌────┴──┐ ┌────────────┐ ┌────┴─┐
│ Writer│◄────────┤ PipeToPump │ ───────►│Reader│
└───────┘ └────────────┘ └─┬────┘
▲ │
@evilpie
evilpie / diff
Created September 28, 2021 11:05
diff --git a/dom/events/test/test_DataTransferItemList.html b/dom/events/test/test_DataTransferItemList.html
--- a/dom/events/test/test_DataTransferItemList.html
+++ b/dom/events/test/test_DataTransferItemList.html
@@ -30,6 +30,7 @@
var dragstartFired = 0;
draggable.addEventListener('dragstart', onDragStart);
function onDragStart(e) {
+ console.log("dragstart");
draggable.removeEventListener('dragstart', onDragStart);
@evilpie
evilpie / keypad-arm.yaml
Created September 6, 2021 19:33
Home Assistant Alarm Control Panel integration with zigbee2mqtt physical keypad
alias: Keypad Arm
description: Arm Home Assistant alarm using the keypad.
trigger:
- platform: mqtt
topic: zigbee2mqtt/Keypad
condition:
- condition: template
value_template: '{{ trigger.payload_json.action_code == "9998" }}'
- condition: template
value_template: '{{ trigger.payload_json.action == "arm_all_zones" }}'
@evilpie
evilpie / readable-string.js
Last active June 13, 2021 18:50
var stream = new ReadableStream({
start(controller) {
controller.enqueue("abc");
controller.enqueue("123");
controller.close()
}
});
var reader = stream.getReader();
reader.read().then(({ value, done}) => {
@evilpie
evilpie / run.py
Last active May 21, 2020 21:37
An alternative runner for kraken
#!/usr/bin/python
# -*- coding: utf-8 -*-
import argparse
import glob
import os
parser = argparse.ArgumentParser(description='Run kraken/sunspider.',
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
parser.add_argument(
'--shell',
@evilpie
evilpie / non-standard.md
Created January 21, 2020 13:52