> So you can still inject <h1> or <br><br><br>... etc into your username,...

embedding-shape • yesterday at 2:26 PM • 1 reply • view on HN

> So you can still inject <h1> or <br><br><br>... etc into your username, in the given example

How exactly, given that setHTML sanitizes the input? If you don't want to have any HTML tags allowed, seems you can configure that already? https://wicg.github.io/sanitizer-api/#built-in-safe-default-...

Replies

Aachen • yesterday at 2:29 PM

> How exactly, given that setHTML sanitizes the input?

The article says that the output is:

    <h1>Hello my name is</h1>

So it keeps (non-script) html tags (and presumably also attributes) in the input. Idk how you're asking "how" since it's the default behavior

Stripping HTML tags completely has always been possible with the drop-in replacement `textContent`. Making a custom configuration object for that is much more roundabout

➕ show 1 reply

alt Hacker News

Replies