innerText still allows markup, and it's not totally safe (compared to
textContent) with unsanitized strings:
https://stackoverflow.com/questions/52707031/does-innertext-prevent-xss
On 12/12/2021 4:18 AM, Harbs wrote:
> Yes.
>
> Why do you include innerText? AFAIK innerText is safe. (Although textContent
> usually makes more sense.)
>
>> On Dec 12, 2021, at 12:02 PM, Edward Stangler <estang...@bradmark.com> wrote:
>>
>>
>> OK, that make sense.
>>
>> If you use innerHTML / innerText inside Royale, then you need to sanitize.
>>
>> (And whatever equivalent for "src" / "url" and other such areas.)
