Le 08/04/2013 15:29, Frederik Braun a écrit : > On 08.04.2013 14:39, Julien Wajsberg wrote: >> Hi, >> >> While I fully agree with you about the security problems of innerHTML, >> I'm very surprised of the performance issues. It is widely assumed that >> innerHTML (and his littke brother insertAdjacentHTML) is a lot faster >> than traditional DOM methods. And it makes me sad. >> >> Also, your jsperf 3rd testcase fails and I don't really understand >> why... I'd love to check the differences between your testcases :) >> > My bad, I played with some other revision than the ones that are > currently available under the given URL. > > Let's agree on the security concerns instead: It worries me that there's > no concerted approach to deal with user input in innerHTML assignments.
My plan would be: inject everything but external inputs using innerHTML or insertAdjacentHTML. Then use querySelector on the same node to get the nodes where you want to inject user input, using textContent. This way we can get the speedyness of innerHTML but still use textContent for untrusted input. Of course some input must be injected in HTML, and these ones must be taken care of. And this is probably easier for the security team if that's done only in a few places. -- Julien
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g