Most active commenters
  • intrasight(3)

←back to thread

Element: setHTML() method

(developer.mozilla.org)
170 points todsacerdoti | 15 comments | 22 Oct 25 09:03 UTC | HN request time: 0.001s | source | bottom
1. michalpleban ◴[22 Oct 25 20:38 UTC] No.45674843[source]
So is this basically a safe version of innerHTML?
replies(2): >>45674953 #>>45677088 #
2. Octoth0rpe ◴[22 Oct 25 20:48 UTC] No.45674953[source]
Yes, although a slightly more relevant way of putting it would be that it's an inbuilt DOMPurify (dompurify being an npm package commonly used to sanitize html before injecting it).
replies(1): >>45678500 #
3. intrasight ◴[23 Oct 25 01:10 UTC] No.45677088[source]
I'm confused as to why you need a "safe" version if you're the one generating and injecting the HTML.
replies(5): >>45677311 #>>45677377 #>>45678388 #>>45678704 #>>45679220 #
4. evbogue ◴[23 Oct 25 01:50 UTC] No.45677311[source]
Why should a web page only have a single person generating and injecting HTML into it?
replies(2): >>45678210 #>>45678259 #
5. matmo ◴[23 Oct 25 02:01 UTC] No.45677377[source]
Isn't this kinda like asking "why does my gun need a safety if I'm the only one consciously pulling the trigger"?
6. intrasight ◴[23 Oct 25 04:38 UTC] No.45678210{3}[source]
A single company. Why would I let another company inject HTML into my page?
replies(1): >>45678306 #
7. intrasight ◴[23 Oct 25 04:52 UTC] No.45678259{3}[source]
The analogy doesn't hold markup ;)

Whether I generate a whole page or generate a partial page and then add HTML to it is equivalent from a safety perspective.

8. afavour ◴[23 Oct 25 05:04 UTC] No.45678306{4}[source]
There's this newfangled concept called social media where you let other people post content that exists on your web site. You're rarely allowed to post HTML because of the associated issues with sanitizing it. setHTML could help with that.
replies(1): >>45678467 #
9. theendisney ◴[23 Oct 25 05:20 UTC] No.45678388[source]
It was kind of strange to have bbcode and wiki markup specifically to avoid allowing users to use html.
replies(1): >>45678759 #
10. president_zippy ◴[23 Oct 25 05:34 UTC] No.45678467{5}[source]
I just had a flashback to the heyday of MySpace. Now that I think about it though, Neocities has the "social networking" of being able to discover other people's pages and give each other likes and comments.

Hmmm...

11. ngold ◴[23 Oct 25 05:41 UTC] No.45678500[source]
Is this basically doing the same thing as https now? But for http, and firefox just never implemented a simple fix for it's entire existence until now?

I obviously know nothing about this, but I still find it fascinating. Or am I off my block.

replies(1): >>45678750 #
12. halapro ◴[23 Oct 25 06:10 UTC] No.45678704[source]
If you generate it from completely static and known values, have at it.

If you include user-provided data, then you should sanitize it for HTML.

13. masklinn ◴[23 Oct 25 06:16 UTC] No.45678750{3}[source]
This has nothing whatsoever to do with http.
14. masklinn ◴[23 Oct 25 06:18 UTC] No.45678759{3}[source]
Gruber’s original markdown tool passes HTML straight through, it was designed to make writing long-form content easier.

Markdown implementations can do any of that, only allowing a whitelist of HTML elements (GFM), or not allowing HTML at all.

15. jeroenhd ◴[23 Oct 25 07:34 UTC] No.45679220[source]
As it turns out, verifying that HTML is safe to render without neutering HTML down to a whitelist of elements is actually quite difficult. That's not great when you're rendering user-generated content.

Solutions in the form of pre-existing HTML sanitisation libraries have existed for years but countless websites still manage to get XSS'd every year because not everyone capable of writing code is capable of writing secure code.