Most active commenters
  • intrasight(3)

←back to thread

Element: setHTML() method

(developer.mozilla.org)
170 points todsacerdoti | 11 comments | | HN request time: 0.439s | source | bottom
Show context
michalpleban ◴[] No.45674843[source]
So is this basically a safe version of innerHTML?
replies(2): >>45674953 #>>45677088 #
1. intrasight ◴[] No.45677088[source]
I'm confused as to why you need a "safe" version if you're the one generating and injecting the HTML.
replies(5): >>45677311 #>>45677377 #>>45678388 #>>45678704 #>>45679220 #
2. evbogue ◴[] No.45677311[source]
Why should a web page only have a single person generating and injecting HTML into it?
replies(2): >>45678210 #>>45678259 #
3. matmo ◴[] No.45677377[source]
Isn't this kinda like asking "why does my gun need a safety if I'm the only one consciously pulling the trigger"?
4. intrasight ◴[] No.45678210[source]
A single company. Why would I let another company inject HTML into my page?
replies(1): >>45678306 #
5. intrasight ◴[] No.45678259[source]
The analogy doesn't hold markup ;)

Whether I generate a whole page or generate a partial page and then add HTML to it is equivalent from a safety perspective.

6. afavour ◴[] No.45678306{3}[source]
There's this newfangled concept called social media where you let other people post content that exists on your web site. You're rarely allowed to post HTML because of the associated issues with sanitizing it. setHTML could help with that.
replies(1): >>45678467 #
7. theendisney ◴[] No.45678388[source]
It was kind of strange to have bbcode and wiki markup specifically to avoid allowing users to use html.
replies(1): >>45678759 #
8. president_zippy ◴[] No.45678467{4}[source]
I just had a flashback to the heyday of MySpace. Now that I think about it though, Neocities has the "social networking" of being able to discover other people's pages and give each other likes and comments.

Hmmm...

9. halapro ◴[] No.45678704[source]
If you generate it from completely static and known values, have at it.

If you include user-provided data, then you should sanitize it for HTML.

10. masklinn ◴[] No.45678759[source]
Gruber’s original markdown tool passes HTML straight through, it was designed to make writing long-form content easier.

Markdown implementations can do any of that, only allowing a whitelist of HTML elements (GFM), or not allowing HTML at all.

11. jeroenhd ◴[] No.45679220[source]
As it turns out, verifying that HTML is safe to render without neutering HTML down to a whitelist of elements is actually quite difficult. That's not great when you're rendering user-generated content.

Solutions in the form of pre-existing HTML sanitisation libraries have existed for years but countless websites still manage to get XSS'd every year because not everyone capable of writing code is capable of writing secure code.