(developer.mozilla.org)

167 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.202s | source

Show context

ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]▶

> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #

1. ◴[22 Oct 25 21:24 UTC] No.45675342[source]▶

>>45675241 #

↑

Element: setHTML() method