[bakugo]

> If you allow random users to write arbitrary unsanitized HTML into other users’ pages, you have already lost

Not really. The whole point of CSP is that, even if someone manages to inject arbitrary HTML into your page due to a bug or oversight, you can prevent injected scripts from running entirely, severely limiting what an attacker can do.

I'm surprised at the amount of comments on this post that seem to be completely clueless about CSP.

[stouset]

CSP is a backstop that—when configured properly and used alongside restraint in how you script—can minimize some of the worst consequences of injection.

It doesn’t wash your hands clean of the responsibility to restrict what kinds of content users can inject into served pages.

[elmigranto]

> if someone manages to inject arbitrary HTML

If they can, why wouldn’t it be inline <script>?

[amluto]

Because CSP can be configured to block inline scripts.

[jsheard]

The syntax to allow inline scripts is even "unsafe-inline" to emphasize that you are entering the danger zone.

[Akronymus]

serving html with string concatenation is just like creating sql statements with string concat.

At least thats how I see it. Ideally you'd use something similar to prepared statements, just for html templates.