OK. For a script tag. But for anything else it should be safe. (I think?) Either way, I don’t know of any reason to be setting innerText instead of textContent, so we should standardize on that either way.
Harbs > On Dec 13, 2021, at 1:12 AM, Edward Stangler <estang...@bradmark.com> wrote: > > > innerText still allows markup, and it's not totally safe (compared to > textContent) with unsanitized strings: > > https://stackoverflow.com/questions/52707031/does-innertext-prevent-xss > > > > On 12/12/2021 4:18 AM, Harbs wrote: >> Yes. >> >> Why do you include innerText? AFAIK innerText is safe. (Although textContent >> usually makes more sense.) >> >>> On Dec 12, 2021, at 12:02 PM, Edward Stangler <estang...@bradmark.com> >>> wrote: >>> >>> >>> OK, that make sense. >>> >>> If you use innerHTML / innerText inside Royale, then you need to sanitize. >>> >>> (And whatever equivalent for "src" / "url" and other such areas.) >