(developer.mozilla.org)

170 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.207s | source

Show context

ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]▶

> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #

strbean ◴[22 Oct 25 21:23 UTC] No.45675336[source]▶

>>45675241 #

This is primarily an ergonomic addition, so it kinda makes sense to me to not make the dangerous footguns more ergonomic in the process. You can still assign `innerHTML` etc. to do the dangerous thing.

replies(2): >>45675456 #>>45675472 #

meowface ◴[22 Oct 25 21:37 UTC] No.45675472[source]▶

>>45675336 #

I agree, though I also agree with the parent that the method name is a little bit confusing. "safeSetHTML" or "setUntrustedHTML" or something would be clearer.

replies(4): >>45676054 #>>45677128 #>>45677840 #>>45677920 #

1. SoftTalker ◴[23 Oct 25 03:22 UTC] No.45677840[source]▶

>>45675472 #

Why not name it what it does: sanitizeAndSetHTML

↑

Element: setHTML() method