←back to thread

Element: setHTML() method

(developer.mozilla.org)
170 points todsacerdoti | 7 comments | 22 Oct 25 09:03 UTC | HN request time: 0.415s | source | bottom
1. evilpie ◴[22 Oct 25 20:51 UTC] No.45674985[source]
We enabled this by default in Firefox Nightly (only) this week.
replies(1): >>45675933 #
2. spankalee ◴[22 Oct 25 22:24 UTC] No.45675933[source]
I'll be very excited to use this in Lit when it hits baseline.

While lit-html templates are already XSS-hardened because template strings aren't forgeable, we do have utilities like `unsafeHTML()` that let you treat untrusted strings as HTML, which are currently... unsafe.

With `Element.setHTML()` we can make a `safeHTML()` directive and let the developer specify sanitizer options too.

replies(2): >>45676099 #>>45678737 #
3. StrauXX ◴[22 Oct 25 22:43 UTC] No.45676099[source]
Why don't you use DOMPurify right now? It's battle tested and supports configs just like this proposal.
replies(2): >>45676509 #>>45676629 #
4. ffsm8 ◴[22 Oct 25 23:34 UTC] No.45676509{3}[source]
Why would the framework do that?

The app developers can still use that right now, but if the framework forces it's usage it'd unnecessarily increase package size for people that didn't need it.

5. spankalee ◴[22 Oct 25 23:53 UTC] No.45676629{3}[source]
One, lit-html doesn't have any dependencies.

Two, even if we did, DOMPurify is ~2.7x bigger than lit-html core (3.1Kb minzipped), and the unsafeHTML() directive is less than 400 bytes minzipped. It's just really big to take on a sanitizer, and which one to use is an opinion we'd have to have. And lit-html is extensible and people can already write their own safeHTML() directive that uses DOMPurify.

For us it's a lot simpler to have safe templates, an unsafe directive, and not parse things to finely in between.

A built-in API is different for us though. It's standard, stable, and should eventually be well known by all web developers. We can't integrate it with no extra dependencies or code, and just adopt the standard platform options.

6. somat ◴[23 Oct 25 06:14 UTC] No.45678737[source]
So that's why template literals are broken. I am not much of a JS dev but sometimes I play one on TV. and I was cursing up a storm because I could not get templates to work the way I wanted them to. And I quote "What do you mean template strings are not strings? What idiot designed this."

If curious I had a bright idea for a string translation library, yes, I know there are plenty of great internationalization libraries, but I wanted to try it out. the idea was to just write normalish template strings so the code reads well, then the translation engine would lookup the template string in the language table and replace it with the translated template string, this new template string is the one that would be filled. But I could not get it to work. I finally gave up and had to implement "the template system we have at home" from scratch just to get anything working.

To the designers of JS template literals, I apologize, you were blocking an attack vector that never crossed my mind. It was the same thing the first time I had to do the cors dance. I thought it was just about the stupidest thing I had ever seen. "This protects nothing, it only works when the client(the part you have no control over) decides to do it" The idea that you need protection after you have deliberately injected unknown malicious code(ads) into your web app took me several days of hard thought to understand.

replies(1): >>45679163 #
7. normie3000 ◴[23 Oct 25 07:25 UTC] No.45679163{3}[source]
I've written a fair number of custom template literals, and I don't understand what your complaint is. Can you share more details?