To be fair, everything on the client is raw string interpolation. It's only secure if you comprehensively vet everything once it's on the server.

▲

rafram 2 days ago | parent [-]

That's absolutely not true. Sanitization on the client is significantly safer, because the client knows how it parses HTML, while the server can, at best, guess (and hope it follows the spec).

When you set element.textContent = someUserGeneratedContent, the browser guarantees that the user-generated content will never be parsed as HTML.

response.write("<div>" + sanitize(someUserGeneratedContent) + "</div>") has no such guarantee.

	▲	Aachen 10 hours ago \| parent \| next [-]
		That's not sanitisation, that's separating data from executable code. It's a better solution when possible, but the solution suggested above also works
	▲	hyperhello 2 days ago \| parent \| prev [-]
		If that’s all you want, it’s trivial to replace all < and & with their encodings.