(developer.mozilla.org)

205 points todsacerdoti | 3 comments | 22 Oct 25 09:03 UTC | HN request time: 0.435s | source

Show context

michalpleban ◴[22 Oct 25 20:38 UTC] No.45674843[source]▶

So is this basically a safe version of innerHTML?

Octoth0rpe ◴[22 Oct 25 20:48 UTC] No.45674953[source]▶

Yes, although a slightly more relevant way of putting it would be that it's an inbuilt DOMPurify (dompurify being an npm package commonly used to sanitize html before injecting it).

replies(1): >>45678500 #

1. ngold ◴[23 Oct 25 05:41 UTC] No.45678500[source]▶

>>45674953 #

Is this basically doing the same thing as https now? But for http, and firefox just never implemented a simple fix for it's entire existence until now?

I obviously know nothing about this, but I still find it fascinating. Or am I off my block.

replies(2): >>45678750 #>>45679659 #

2. masklinn ◴[23 Oct 25 06:16 UTC] No.45678750[source]▶

>>45678500 (TP) #

This has nothing whatsoever to do with http.

3. bilekas ◴[23 Oct 25 08:44 UTC] No.45679659[source]▶

>>45678500 (TP) #

XSS isn't related to https/ssl, ssl is the secure conncetion between you and the server, but xss is the injection of data into the site which will be executed in your browser in this case. The connection isnt relevant.

https://developer.mozilla.org/en-US/docs/Web/Security/Attack...

↑

Element: setHTML() method