It’s a bit of a stretch that it’s a concern because even where it’s used, the source is not typically going to be an outside source. I wouldn’t consider it an obstacle for “1.0”, but we should address it.
> On Dec 7, 2021, at 10:11 PM, Greg Dove <greg.d...@gmail.com> wrote: > >> That said, we’re using innerHTML in some places in the Framework where it > is not necessary. That should be fixed. > > Yeah, that's actually what I was meaning. I don't know if there are any > other things like this which we might have overlooked, or whether it is > critical to consider these for '1.0' > > > > > On Wed, Dec 8, 2021 at 9:00 AM Harbs <harbs.li...@gmail.com> wrote: > >> In React, there’s a desire to set innerHTML because things are hard to do >> there. In Royale, not so much. >> >> That said, we’re using innerHTML in some places in the Framework where it >> is not necessary. That should be fixed. >> >>> On Dec 7, 2021, at 9:36 PM, Greg Dove <greg.d...@gmail.com> wrote: >>> >>> We discussed at one point the potential security risks associated with >>> using innerHTML in some code, for example and that other frameworks avoid >>> that (React requires that a dev use a method called >> dangerouslySetInnerHTML >>> or something like that). >> >>