(developer.mozilla.org)

170 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0s | source

Show context

evilpie ◴[22 Oct 25 20:51 UTC] No.45674985[source]▶

>>45666497 (OP) #

We enabled this by default in Firefox Nightly (only) this week.

replies(1): >>45675933 #

spankalee ◴[22 Oct 25 22:24 UTC] No.45675933[source]▶

>>45674985 #

I'll be very excited to use this in Lit when it hits baseline.

While lit-html templates are already XSS-hardened because template strings aren't forgeable, we do have utilities like `unsafeHTML()` that let you treat untrusted strings as HTML, which are currently... unsafe.

With `Element.setHTML()` we can make a `safeHTML()` directive and let the developer specify sanitizer options too.

replies(2): >>45676099 #>>45678737 #

StrauXX ◴[22 Oct 25 22:43 UTC] No.45676099[source]▶

>>45675933 #

Why don't you use DOMPurify right now? It's battle tested and supports configs just like this proposal.

replies(2): >>45676509 #>>45676629 #

1. ffsm8 ◴[22 Oct 25 23:34 UTC] No.45676509[source]▶

>>45676099 #

Why would the framework do that?

The app developers can still use that right now, but if the framework forces it's usage it'd unnecessarily increase package size for people that didn't need it.

↑

Element: setHTML() method