MDN URL
https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML
What specific section or headline is this issue about?
No response
What information was incorrect, unhelpful, or incomplete?
Nothing
What did you expect to see?
I think we should try to explain that it's unsafe to something like this:
div.setHTML(code);
other_div.innerHTML = div.innerHTML
It's also unsafe to use the result of innerHTML save it in a database and serve again without using setHTML.
setHTML can't protect against bugs caused by the HTML code being parsed again (mXSS)
Do you have any supporting links, references, or citations?
https://wicg.github.io/sanitizer-api/#mutated-xss
Do you have anything more you want to share?
No response
MDN URL
https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML
What specific section or headline is this issue about?
No response
What information was incorrect, unhelpful, or incomplete?
Nothing
What did you expect to see?
I think we should try to explain that it's unsafe to something like this:
It's also unsafe to use the result of
innerHTMLsave it in a database and serve again without using setHTML.setHTML can't protect against bugs caused by the HTML code being parsed again (mXSS)
Do you have any supporting links, references, or citations?
https://wicg.github.io/sanitizer-api/#mutated-xss
Do you have anything more you want to share?
No response