Frederik Braun �Feb 24

New blog post 😊

If you replace all the innerHTML with setHTML, you will be free from XSS and other injection attacks. Goodbye innerHTML, Hello setHTML

https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

(Kudos to our folks for specifying, building and shipping!)

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog

Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We expect other browsers to follow soon.

Mozilla Hacks – the Web developer blog
Show threadRicard Torres 👨‍💻
@freddy Can't wait for setHTML to have baseline support.
Feb 24 at 1:57pmWeb
Show threadFrederik Braun �Feb 24
@dev Another browser is going to follow really really soon :)
Show threadLukeFeb 24
@freddy @dev is there any attempt at a polyfill? I guess it's not really doable. Something using trusted types could work I suppose but could still have mXSS issues.
Show threadRicard Torres 👨‍💻Feb 24
@Lukew @freddy I've been using https://github.com/cure53/DOMPurify for a long time for this purpose.
GitHub - cure53/DOMPurify: DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo: - cure53/DOMPurify

GitHub
Show threadLukeFeb 24
@dev @freddy Yeah I suspect DOMPurify is the best fallback approach rather than an attempt at a true polyfill.
Show threadFrederik Braun �Feb 24
@Lukew @dev I had attempted a polyfill maybe 5 years ago where I tried to map the config dictionary from setHTML onto a DOMPurify config but I didn’t pursue it any further when the specification changed. But DOMPurify is a good replacement in browsers that don’t support the sanitizer!