upvote

points

by Aachen9 hours ago |
comments
upvoteby embedding-shape9 hours ago|
[-]
Yes, because that's the default configuration, if you don't want that, stop using the default configuration? It's still sanitizing away the common XSS holes, hence it's a safer alternative to .innerHTML, and a more flexible alternative to .innerText
reply
upvoteby Aachen9 hours ago|
parent|
[-]
Shouldn't use innerText anyway (nonstandard, worse performance, tries to parse the HTML and gives you unexpected behavior if e.g. a style is set that makes an element invisible but still has text inside, doesn't work on all DOM nodes...)

I can see how it's a way of allowing some tags like bold and italic without needing a library or some custom parser, but I didn't understand what the point of this default could be and so why it exists (a sibling comment proposed a plausible answer: hardening on top of another solution)

> Yes, because that's the default configuration, if you don't want that, stop using the default configuration?

"don't use it if it's not what you want" is perhaps the silliest possible answer to the question "what's the use-case for this"

reply
upvoteby embedding-shape9 hours ago|
parent|
next
[-]
> Shouldn't use innerText anyway (nonstandard, worse performance, tries to parse the HTML and gives you unexpected behavior if e.g. a style is set that makes an element invisible but still has text inside, doesn't work on all DOM nodes...)

Maybe you meant .innerHTML? .innerText AFAIK doesn't try to parse HTML (why would it?), but I don't understand what you mean with nonstandard, both .innerHTML and .innerText are part of the standards, and I think they've been for a long time.

> but I didn't understand what the point of this default could be and so why it exists (a sibling comment proposed a plausible answer: hardening on top of another solution) [...] the question "what's the use-case for this"

I guess maybe third time could be the charm: it's for preventing XSS holes that are very common when people use .innerHTML

reply
upvoteby Aachen9 hours ago|
parent|
[-]
> maybe third time could be the charm: it's for preventing XSS holes

That information is in the question, so sadly no this still doesn't make sense to me because I don't understand any scenario in which this is what the developer wants. You always still need more code (to filter the right tags) or can just use textContent (separating data and code completely, imo the recommended solution)

> Maybe you meant .innerHTML? .innerText AFAIK doesn't try to parse HTML (why would it?)

No, I didn't mean that, yes it does, and no I don't know why it is this way. If you don't believe me and don't want to check it out for yourself, I'm not sure what more I can say

reply
upvoteby lelanthran5 hours ago|
parent|
[-]
> I don't understand any scenario in which this is what the developer wants.

Client-side includes.

reply
upvoteby benregenspan9 hours ago|
parent|
prev|
[-]
It seems like the goal of the default configuration is preventing script injection while being otherwise very permissive. Basically, "safer than innerHTML, even when used very lazily". But I would expect guidance to evolve saying that it almost never makes sense to use the default and instead to specify a configuration that makes contextual sense for a given field.

The default might be suitable for something like an internal blog where you want to allow people to sometimes go crazy with `<style>` tags etc, just not inject scripts, but I would expect it to almost always make sense to define a specific allowed tag and attribute list, as is usually done with the userland predecessors to this API.

reply