PSA: Don’t use `textContent`/`innerText` or `createTextNode` to strip or escape HTML. http://benv.ca/2012/10/4/you-are-probably-misusing-DOM-text-methods/ … #xss
@jedschmidt Fair point. But seeing as that’s what most templating engines are using, `innerHTML` probably isn’t going away anytime soon :(
-
-
@mathias@jedschmidt I don’t use innerHTML for readability reasons but what’s the problem in using it otherwise? -
@bdc@jedschmidt The problem is it’s easy to make a mistake when building HTML strings and end up with a security vulnerability. - 1 more reply
New conversation -
-
-
@mathias@jedschmidt fwiw, innerHTML doesn’t execute <script> tags -
@thomasfuchs@mathias right, but it will set dangerous attributes, as TFA points out. - 1 more reply
New conversation -
-
-
@mathias@jedschmidt innerHTML unfortunately benefits from being faster than doing the same with DOM methods in a lot of circumstances... -
@DavidBruant@mathias innerHTML performance issues are exacerbated by using templates, since folks end up rewriting more than they need.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.