Timeline for Secure way to output encoding HTML for insert raw html via javascript

Current License: CC BY-SA 4.0

8 events

when toggle format	what		by	license	comment
Mar 26, 2024 at 19:39	comment	added	browsermator		wasn't sure if they wanted HTML to be read as markup or just displayed as text. But if they wanted HTML to be interpreted, but safely, the sandboxed iframe is an alternative.
Mar 22, 2024 at 23:15	comment	added	Ja1024		@browsermator: I'm not sure what this has to do with the question.
Mar 22, 2024 at 23:15	comment	added	Ja1024		@Thenothing: It does matter whether or not your whitelist is complete. If it's incomplete, you're blocking characters which shouldn't be blocked. This may not lead to XSS vulnerabilities, but it's a bug which can definitely cause problems.
Mar 22, 2024 at 23:12	comment	added	Ja1024		@Thenothing: You say you already use `textContent` when you build HTML elements (with JavaScript, obviously). Then you shouldn't need `innerHTML` at all. Building HTML with JavaScript means you get `Node` objects which can be inserted directly into the document through methods like `Node.appendChild()`. The `innerHTML` is only required if you have a string with HTML markup (typically from the server). You don't have to escape anything with `textContent`, because all characters (including single quotes) are treated as literal text and not interpreted as HTML markup.
Mar 22, 2024 at 21:13	comment	added	browsermator		you might look into using a sandboxed iframe: w3schools.com/tags/att_iframe_sandbox.asp
Mar 22, 2024 at 20:28	comment	added	The nothing		Hi, I already used textContent inside the build html, I think you can not escape single quota with textContent, do you know another way to insert raw html securely ?, because textContent is for text. By the way I have a whitelist no Blacklist so -- does not matter.
Mar 22, 2024 at 17:35	history	edited	Ja1024	CC BY-SA 4.0	added 254 characters in body
Mar 22, 2024 at 17:29	history	answered	Ja1024	CC BY-SA 4.0