innerText still allows markup, and it's not totally safe (compared to textContent) with unsanitized strings:
https://stackoverflow.com/questions/52707031/does-innertext-prevent-xss On 12/12/2021 4:18 AM, Harbs wrote: > Yes. > > Why do you include innerText? AFAIK innerText is safe. (Although textContent > usually makes more sense.) > >> On Dec 12, 2021, at 12:02 PM, Edward Stangler <estang...@bradmark.com> wrote: >> >> >> OK, that make sense. >> >> If you use innerHTML / innerText inside Royale, then you need to sanitize. >> >> (And whatever equivalent for "src" / "url" and other such areas.)