Mastodawn

New blog post 😊

If you replace all the innerHTML with setHTML, you will be free from XSS and other injection attacks. Goodbye innerHTML, Hello setHTML

https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

(Kudos to our folks for specifying, building and shipping!)

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog

Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We expect other browsers to follow soon.

Mozilla Hacks – the Web developer blog

Show thread

Phantasm (alt)Feb 25

@freddy
>If you replace all the innerHTML with setHTML, you will be free from XSS and other injection attacks.

Can't wait for the time when this statement will become false.

Show thread

Frederik Braun �

@phnt extremely looking forward to security research here. My challenge: any arbitrary value for a, b and c in this code for any given document should be secure: `a.setHTML(b, c)`. Pick the html context, the input and the config. If you achieve XSS let me know. We have a bug bounty program :)