The Core

Why We Are Here => Web Development => Topic started by: rcjordan on February 24, 2026, 10:08:11 PM

Title: Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Post by: rcjordan on February 24, 2026, 10:08:11 PM
Mozilla Hacks - the Web developer blog

https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/
Title: Re: Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Post by: ergophobe on February 25, 2026, 12:20:14 AM
That's a good change. I have to agree that CSP fell short
Title: Re: Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Post by: rcjordan on February 25, 2026, 01:41:06 AM
I caught the FF update and put it on hold.  I don't know enough to tell if this will cripple userscripts.
Title: Re: Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Post by: ergophobe on February 25, 2026, 08:44:21 PM
I don't think so. My understanding is this will affect things going forward.

InnerHTML is not yet being deprecated and it can't be for a long time since FF is currently the only browser that supports setHTML() as I understand it.

This is more a long-term thing for developers. Legacy code using InnerHTML will probably be around and supported until everyone reading this is in the ground (based on how long COBOL has stuck around and the fact that airlines are still using Windows95).

But going forward, instead of mucking with InnerHTML to build the DOM on pages where you're feeding JSON to JS and rendering the page client side, you'll be able to use setHTML() and have enhanced and customizable security out of the box.

I would liken this to the way that most CMS platforms have an API for building forms, taking in data and spitting it back out. They usually wrap the native functions that have little sanitizing by default and then add some sanity checks.