> How exactly, given that setHTML sanitizes the input? The article says that the output is:

Aachen • yesterday at 2:29 PM • 1 reply • view on HN

> How exactly, given that setHTML sanitizes the input?

The article says that the output is:

    <h1>Hello my name is</h1>

So it keeps (non-script) html tags (and presumably also attributes) in the input. Idk how you're asking "how" since it's the default behavior

Stripping HTML tags completely has always been possible with the drop-in replacement `textContent`. Making a custom configuration object for that is much more roundabout

Replies

embedding-shape • yesterday at 2:31 PM

Yes, because that's the default configuration, if you don't want that, stop using the default configuration? It's still sanitizing away the common XSS holes, hence it's a safer alternative to .innerHTML, and a more flexible alternative to .innerText

➕ show 1 reply

alt Hacker News

Replies