|
|
|
|
|
|
by masklinn
242 days ago
|
|
|
> feels weird for setHTML to have impossible-to-override filter. It really doesn’t. We’ve decades of experience telling us that safe behaviour is critical. > I do not understand this design choice. If I explicitly allow `script` tag, why should it be stripped? Because there’s an infinitesimal number of situations where it’s not broken, and that means you should have to put in work to get there. `innerHTML` still exists, and `setHTMLUnsafe` has no filtering whatsoever by default (not even the script deactivation innerHTML performs). |
|
|