alt Hacker NewsSeems like this has a bunch of footguns. Particularly if you interact with the Sanitizer api, and particularly if you use the "remove" sanitizer api.
Don't get me wrong, better than nothing, but also really really consider just using "setText" instead and never allow the user to add any sort of HTML too the document.
Replies
evilpie • today at 2:47 PM
Using an allowlist based Sanitizer you are definitely less likely to shoot yourself in the foot, but as long as you use setHTML you can't introduce XSS at least.
GalaxyNova • today at 5:29 PM
It's worse than nothing, since inevitably people will use this thinking it's 100% safe when it's not.
> never allow the user to add any sort of HTML too the document.
What about when the author of the page wants to add large html fragments to the page?
Are you saying that you cannot think of a single use for this, considering how often innerHTML is being used?