Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Cyborg)
  • No Skin
Collapse
Brand Logo

CIRCLE WITH A DOT
  1. Home
  2. Uncategorized
  3. The Sanitizer API landed in Firefox 148, along with element.setHTML().

The Sanitizer API landed in Firefox 148, along with element.setHTML().

Scheduled Pinned Locked Moved Uncategorized
3 Posts 2 Posters 0 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • firefoxwebdevs@mastodon.socialF This user is from outside of this forum
    firefoxwebdevs@mastodon.socialF This user is from outside of this forum
    firefoxwebdevs@mastodon.social
    wrote on last edited by
    #1

    The Sanitizer API landed in Firefox 148, along with element.setHTML().

    This lets you fully configure how HTML strings are cleaned as they're parsed.

    https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

    barefootstache@en.osm.townB 1 Reply Last reply
    1
    0
    • R relay@relay.infosec.exchange shared this topic on
    • firefoxwebdevs@mastodon.socialF firefoxwebdevs@mastodon.social

      The Sanitizer API landed in Firefox 148, along with element.setHTML().

      This lets you fully configure how HTML strings are cleaned as they're parsed.

      https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

      barefootstache@en.osm.townB This user is from outside of this forum
      barefootstache@en.osm.townB This user is from outside of this forum
      barefootstache@en.osm.town
      wrote last edited by
      #2

      @firefoxwebdevs couldn't the attacker change the sanitizer rules to permit the tags they want to exploit?

      firefoxwebdevs@mastodon.socialF 1 Reply Last reply
      0
      • barefootstache@en.osm.townB barefootstache@en.osm.town

        @firefoxwebdevs couldn't the attacker change the sanitizer rules to permit the tags they want to exploit?

        firefoxwebdevs@mastodon.socialF This user is from outside of this forum
        firefoxwebdevs@mastodon.socialF This user is from outside of this forum
        firefoxwebdevs@mastodon.social
        wrote last edited by
        #3

        @barefootstache if the attacker has enough script access to do that, you've already lost.

        Whereas HTML strings often come from things like a database or API.

        1 Reply Last reply
        0
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes

        • Login
        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • World
        • Users
        • Groups