(developer.mozilla.org)

207 points todsacerdoti | 1 comments | 22 Oct 25 09:03 UTC | HN request time: 0.438s | source

Show context

michalpleban ◴[22 Oct 25 20:38 UTC] No.45674843[source]▶

>>45666497 (OP) #

So is this basically a safe version of innerHTML?

replies(2): >>45674953 #>>45677088 #

intrasight ◴[23 Oct 25 01:10 UTC] No.45677088[source]▶

>>45674843 #

I'm confused as to why you need a "safe" version if you're the one generating and injecting the HTML.

replies(6): >>45677311 #>>45677377 #>>45678388 #>>45678704 #>>45679220 #>>45679443 #

1. jeroenhd ◴[23 Oct 25 07:34 UTC] No.45679220[source]▶

>>45677088 #

As it turns out, verifying that HTML is safe to render without neutering HTML down to a whitelist of elements is actually quite difficult. That's not great when you're rendering user-generated content.

Solutions in the form of pre-existing HTML sanitisation libraries have existed for years but countless websites still manage to get XSS'd every year because not everyone capable of writing code is capable of writing secure code.

↑

Element: setHTML() method