Most active commenters

    ←back to thread

    Element: setHTML() method

    (developer.mozilla.org)
    170 points todsacerdoti | 16 comments | 22 Oct 25 09:03 UTC | HN request time: 0.412s | source | bottom
    1. ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]
    > It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

    Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

    If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

    replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #
    2. evilpie ◴[22 Oct 25 21:23 UTC] No.45675325[source]
    If you want to use an XSS-unsafe Sanitizer you have to use setHTMLUnsafe.
    3. jmull ◴[22 Oct 25 21:23 UTC] No.45675333[source]
    I guess they are going for a safe default... the idea is people who don't carefully read the docs or carefully monitor the provenance of their dynamically generated HTML will probably reach for "setHTML()".

    Meanwhile, there's "setHTMLUnsafe()" and, of course, good old .innerHTML.

    4. strbean ◴[22 Oct 25 21:23 UTC] No.45675336[source]
    This is primarily an ergonomic addition, so it kinda makes sense to me to not make the dangerous footguns more ergonomic in the process. You can still assign `innerHTML` etc. to do the dangerous thing.
    replies(2): >>45675456 #>>45675472 #
    5. ◴[22 Oct 25 21:24 UTC] No.45675342[source]
    6. hsbauauvhabzb ◴[22 Oct 25 21:35 UTC] No.45675456[source]
    Ideally this should be called dangerouslySetInnerHTML but hindsight blah blah
    7. meowface ◴[22 Oct 25 21:37 UTC] No.45675472[source]
    I agree, though I also agree with the parent that the method name is a little bit confusing. "safeSetHTML" or "setUntrustedHTML" or something would be clearer.
    replies(4): >>45676054 #>>45677128 #>>45677840 #>>45677920 #
    8. wewtyflakes ◴[22 Oct 25 22:10 UTC] No.45675791[source]
    Wouldn't that open the floodgates by allowing code that could itself call `setHTML` again but then further revise the args to escalate its privileges?
    9. strbean ◴[22 Oct 25 22:38 UTC] No.45676054{3}[source]
    Idk about that, there's a good argument that the most obvious methods should be the safe ones. That's what juniors will probably jump to first. If you need the unsafe ones, you'll probably be able to figure that out and find them quickly.
    10. jfengel ◴[23 Oct 25 01:17 UTC] No.45677128{3}[source]
    I like React's dangerouslySetInnerHTML. The name so clearly conveys "you can do this but you really, really, really shouldn't".
    replies(1): >>45677701 #
    11. domenicd ◴[23 Oct 25 02:54 UTC] No.45677701{4}[source]
    Indeed, the web platform now has setHTML() and setHTMLUnsafe() to replace the innerHTML setter.

    There's also getHTML() (which has extra capabilities over the innerHTML getter).

    12. SoftTalker ◴[23 Oct 25 03:22 UTC] No.45677840{3}[source]
    Why not name it what it does: sanitizeAndSetHTML
    13. xp84 ◴[23 Oct 25 03:38 UTC] No.45677920{3}[source]
    Naming things in that manner hasn’t proven to be a good idea over the years.

    When you have 2 of something and one is safe/better and the other one is known to be problematic, you give the awkward name to the problematic one and the obvious name to the safe/better one. Noobs oughtn’t to be attempting the other one, and anyone who is mature enough to have reason to do it, are mature enough to appreciate the reason behind that complexity.

    14. systoll ◴[23 Oct 25 03:49 UTC] No.45677986[source]
    A script tag would be able to call setHTMLUnsafe, bypassing whatever sanitation you configured.

    I’d’ve made it a runtime error to call setHTML with an unsafe config, but Javascript tends toward implicit reinterpretation rather than erroring-out.

    15. recursivecaveat ◴[23 Oct 25 05:26 UTC] No.45678424[source]
    You have to make the safe version the ergonomic one. Many many C++ memory bugs are a result of the standards committee making the undefined behaviour version of an operation even 3 characters shorter than the safe one. (They're still doing it too! I found another example added in C++23 recently)
    16. masklinn ◴[23 Oct 25 06:24 UTC] No.45678786[source]
    > feels weird for setHTML to have impossible-to-override filter.

    It really doesn’t. We’ve decades of experience telling us that safe behaviour is critical.

    > I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

    Because there’s an infinitesimal number of situations where it’s not broken, and that means you should have to put in work to get there.

    `innerHTML` still exists, and `setHTMLUnsafe` has no filtering whatsoever by default (not even the script deactivation innerHTML performs).