Element: setHTML() method

(developer.mozilla.org)

214 points todsacerdoti | 2 comments | 22 Oct 25 09:03 UTC | HN request time: 0.44s | source

Show context

ishouldbework ◴[22 Oct 25 21:16 UTC] No.45675241[source]▶

> It then removes any HTML entities that aren't allowed by the sanitizer configuration, and further removes any XSS-unsafe elements or attributes — whether or not they are allowed by the sanitizer configuration.

Emphasis mine. I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

If the method was called setXSSSafeSubsetOfHTML sure I guess, but feels weird for setHTML to have impossible-to-override filter.

replies(8): >>45675325 #>>45675333 #>>45675336 #>>45675342 #>>45675791 #>>45677986 #>>45678424 #>>45678786 #

1. masklinn ◴[23 Oct 25 06:24 UTC] No.45678786[source]▶

>>45675241 #

> feels weird for setHTML to have impossible-to-override filter.

It really doesn’t. We’ve decades of experience telling us that safe behaviour is critical.

> I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped?

Because there’s an infinitesimal number of situations where it’s not broken, and that means you should have to put in work to get there.

`innerHTML` still exists, and `setHTMLUnsafe` has no filtering whatsoever by default (not even the script deactivation innerHTML performs).

replies(1): >>45680700 #

2. ishouldbework ◴[23 Oct 25 11:39 UTC] No.45680700[source]▶

>>45678786 (TP) #

I did not notice setHTMLUnsafe exists. That makes it (in my, unimportant, opinion) fine.

↑