You Can Finally Safely Use innerHTML (kind of)

Always assume the client is malicious... any and all sanitization and validation should be handled on the server side.

jtms

Sanitizing server side is the only way to be safe from stuff like that. This setHTML would only provide a false sense of security. If a client hacks themselves it's irrelevant but if they can store something malicious that could affect other users that's where the problem would be and you would have to prevent that server side because clients can essentially do whatever they want including custom browsers.

jonselleck

Every developer with more than 2 years experience just coughed at " *super common* mistake".

angshu

Still it is vulnerable to html injection and there are methods like Dom clobbering which can be applied

spidermankhalifa

Tell me you went to a boot camp without telling me you went to a boot camp.

GeriatricMillenial

I'm waiting for the whole Sanitizer API to be eventually implemented by all browsers. +30% NOT having it means adding extra code and measures to prevent bad actors from tampering with the site. Even if they're unsuccessful, the nuisances and time this requires to check that TRULY nothing's happened just suxx.

CirTap

I can’t believe innerHTML became the standard for setting text in the DOM. Even recent tutorials still use it when it is way less secure than innerText.

jackdavenport

Well from my studies I believe server side is better equipped to handle this and clean/cleanse the data. As I remember anything exposed to the front end is possible to be hacked and there is no way Around that if someone really wants to be malicious

webapple

A super common mistake developers make is that they think there is any security when their website runs on a browser on a computer that they don't own. The owner has access to and can modify every byte in that browser. They can add whatever java-script the want to your website, even without any inputs. Your website may even be running on a simulation of a browser.

jwstolk

didn't knew that, the solution i was using was changing any < symbol to &lt

chimichuflis

Gonna start using this method from now on.

abhinavgandham

ChatGPT said this video is wrong, in the sense that you can just use sethtml instead of innerhtml. it says it only works in some very specific areas.

Human_Evolution-

Yea we needed this 20 years ago, that would have been real nice. So now we probably have 2 decades worth of applications out there vulnerable from developers that didn't know better back then.

smorebytes

How does it determine which code is fishy and which is not? It just removes JS?

classicaf

The example does not show why it matters - you hacked just your own page in browser. That is not a vulnerability - user can run anything in dev console to do any stuff like that.

CaptainBradleySmith

not me forgetting that not everyone uses a framework, wow react really took over my workflow

grym

What a great programmer man you helped me a lot in my projects, I have a video idea, you can talk about data URI like *data:image/svg+xml* or *data:text/html* or *data:text/plain*

saronarabeds

I fail to see a time where this would be an issue.
When would the end user who can exploit this... not just edit content in dev tools?
When would this get them anything useful?

OvhanDevos

const h2 = document.createElement('h2' )
h2.innerText=input.value

Then replace into the DOM, simples.

ShortFilmVD

Next video will be - NEVER USE setHTML

kurtj