←back to thread

Element: setHTML() method

(developer.mozilla.org)
207 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.201s | source
Show context
modinfo ◴[22 Oct 25 22:45 UTC] No.45676114[source]
Cursor build a pseudo-sethtml: https://github.com/skorotkiewicz/pseudo-sethtml
replies(2): >>45676607 #>>45680649 #
exdeejay_ ◴[22 Oct 25 23:50 UTC] No.45676607[source]
This code only does the most basic and naive regex filtering that even a beginner XSS course's inputs would work against. With the Node example code and input string:

  <p>Hello <scr<script>ipt>alert(1)</scr<script>ipt> World</p>
The program outputs:

  $ node .
  <p>Hello <script>alert(1)</script> World</p>
  {
    sanitizedHTML: '<p>Hello <script>alert(1)</script> World</p>',
    wasModified: true,
    removedElements: [],
    removedAttributes: []
  }
Asking a chatbot to make a security function and then posting it for others to use without even reviewing it is not only disrespectful, but dangerous and grossly negligent. Please take this down.
replies(1): >>45677975 #
codedokode ◴[23 Oct 25 03:48 UTC] No.45677975[source]
I wonder why Cursor chose regex approach when it is widely known that it is a wrong method. Is it a result of training on low-quality forums for beginners?
replies(3): >>45678618 #>>45680051 #>>45681046 #
1. ◴[23 Oct 25 05:58 UTC] No.45678618[source]