| ▲ | Aachen 9 hours ago |
| Injecting markup into someone else's website isn't what I'd call too strict a default configuration If you mean to convey that it's possible to configure it to filter properly, let me introduce you to `textContent` which is older than Firefox (I'm struggling to find a date it's so old) |
|
| ▲ | itishappy 9 hours ago | parent [-] |
| That's the whole point of the setHTML. How would I set a header level using textContent? |
| |
| ▲ | Aachen 9 hours ago | parent [-] | | The traditional way: separating data and code document.createElement("h1").textContent = `Hello, ${username}!`
If you allow <h1> in the setHTML configuration or use the default, users with the tag in their username also always get it rendered as markup | | |
| ▲ | itishappy 8 hours ago | parent | next [-] | | It sounds like you're arguing against a specific usecase, rather than the technology itself. If you don't want arbitrary markup in usernames, setHTML would absolutely be the wrong choice, but that's not really a good argument against setHTML. | |
| ▲ | matsemann 9 hours ago | parent | prev [-] | | Which is why you only use it where you want to allow some kind of html..? |
|
|
