Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148

[rcjordan]

Mozilla Hacks - the Web developer blog

https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

[ergophobe]

That's a good change. I have to agree that CSP fell short

[rcjordan]

I caught the FF update and put it on hold.  I don't know enough to tell if this will cripple userscripts.

[ergophobe]

I don't think so. My understanding is this will affect things going forward.

InnerHTML is not yet being deprecated and it can't be for a long time since FF is currently the only browser that supports setHTML() as I understand it.

This is more a long-term thing for developers. Legacy code using InnerHTML will probably be around and supported until everyone reading this is in the ground (based on how long COBOL has stuck around and the fact that airlines are still using Windows95).

But going forward, instead of mucking with InnerHTML to build the DOM on pages where you're feeding JSON to JS and rendering the page client side, you'll be able to use setHTML() and have enhanced and customizable security out of the box.

I would liken this to the way that most CMS platforms have an API for building forms, taking in data and spitting it back out. They usually wrap the native functions that have little sanitizing by default and then add some sanity checks.