Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
Dylan16807 3 hours ago

> There's no getting around knowing whether or any arbitrary string is legitimate markup from a trusted source or some untrusted input that needs to be treated like text. This is a hard requirement.

It is not a hard requirement that untrusted input is "treated like text". And this API lets you customize exactly what tags/attributes are allowed in the untrusted input. That's way better than telling everyone to write their own; it's not trivial.

cxr 5 minutes ago | parent | next [-]

[delayed]

cxr 3 hours ago | parent | prev [-]

[flagged]

Dylan16807 2 hours ago | parent [-]

I don't see how I differed from what you said? You divided strings going into HTML into two categories, where one category uses textContent and the other category uses innerHTML. My point is to disagree with those categories, not whatever subtle thing you're taking issue with.

cxr 2 hours ago | parent [-]

Oh, okay. Tell me, dipshit, are the follow two claims equivalent or different?:

"Everyone who files a tax return should know whether they need to pay at least $1000 in unpaid taxes to the IRS."

"Everyone who files a tax return needs to pay at least $1000 in unpaid taxes to the IRS."

> You divided strings going into HTML into two categories, where one category uses textContent and the other category uses innerHTML.

No, I didn't:

> setting elementNode.textContent is safe for untrusted inputs, and setting elementNode.innerHTML is unsafe for untrusted inputs

That's what I wrote: a statement containing two claims (both true—and not even in the part of my comment that you actually quoted and pretended to be replying to).

Dylan16807 2 hours ago | parent [-]

This is a totally different kind of statement. You're not dividing tax returns into two categories and then saying what to do with each category.

Those claims are different but not in a way that analogizes to the HTML conversation.

cxr 2 hours ago | parent [-]

I'd say I'm interested in hearing how you reason that knowing whether you need to pay at least $1000 in unpaid taxes to the IRS doesn't put you in one bucket or another, but I'm not.

Dylan16807 an hour ago | parent | next [-]

The IRS thing indirectly has categories but it doesn't say what to do with them, and what to do with them is what I disagreed with your original post on. I didn't say all input is untrusted or whatever analogizes to your tax thing.

Anyway, I see you edited your previous post after I wrote my reply.

If you weren't trying to divide things into two categories, you wrote it very confusingly. When you say how to handle trusted strings, then say how to handle untrusted strings, then say "There's no getting around knowing whether or any arbitrary string is legitimate markup from a trusted source or some untrusted input that needs to be treated like text. This is a hard requirement." it really sounds like that's supposed that's supposed to cover all cases.

Me thinking you were using two categories is an honest mistake, not malicious misquoting.

And reading your original post that way is the interpretation that makes it stronger. If there are more categories then SetHTML is no longer "fundamentally confused". Your argument against it falls apart.

cxr 22 minutes ago | parent [-]

Guess how interested I am in pretending that a debate with you—about this or anything else—is going to be worthwhile anything other than bigger waste of time than it already has been.

2 hours ago | parent | prev [-]
[deleted]