(developer.mozilla.org)

170 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.208s | source

Show context

ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]▶

> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #

strbean ◴[22 Oct 25 21:23 UTC] No.45675336[source]▶

>>45675241 #

This is primarily an ergonomic addition, so it kinda makes sense to me to not make the dangerous footguns more ergonomic in the process. You can still assign `innerHTML` etc. to do the dangerous thing.

replies(2): >>45675456 #>>45675472 #

meowface ◴[22 Oct 25 21:37 UTC] No.45675472[source]▶

>>45675336 #

I agree, though I also agree with the parent that the method name is a little bit confusing. "safeSetHTML" or "setUntrustedHTML" or something would be clearer.

replies(4): >>45676054 #>>45677128 #>>45677840 #>>45677920 #

1. xp84 ◴[23 Oct 25 03:38 UTC] No.45677920[source]▶

>>45675472 #

Naming things in that manner hasn’t proven to be a good idea over the years.

When you have 2 of something and one is safe/better and the other one is known to be problematic, you give the awkward name to the problematic one and the obvious name to the safe/better one. Noobs oughtn’t to be attempting the other one, and anyone who is mature enough to have reason to do it, are mature enough to appreciate the reason behind that complexity.

↑

Element: setHTML() method