(developer.mozilla.org)

170 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0s | source

Show context

ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]▶

> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #

strbean ◴[22 Oct 25 21:23 UTC] No.45675336[source]▶

>>45675241 #

This is primarily an ergonomic addition, so it kinda makes sense to me to not make the dangerous footguns more ergonomic in the process. You can still assign `innerHTML` etc. to do the dangerous thing.

replies(2): >>45675456 #>>45675472 #

1. hsbauauvhabzb ◴[22 Oct 25 21:35 UTC] No.45675456[source]▶

>>45675336 #

Ideally this should be called dangerouslySetInnerHTML but hindsight blah blah

↑

Element: setHTML() method