mdn/content

setHTML() / Sanitizer explictly call out that re-parsing (mXSS) is still a danger

Open

#43,386 opened on 2026年3月9日

GitHub で見る
 (2 comments) (0 reactions) (0 assignees)Markdown (8,900 stars) (22,427 forks)batch import
Content:WebAPIhelp wanted

説明

MDN URL

https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML

What specific section or headline is this issue about?

No response

What information was incorrect, unhelpful, or incomplete?

Nothing

What did you expect to see?

I think we should try to explain that it's unsafe to something like this:

div.setHTML(code);
other_div.innerHTML = div.innerHTML

It's also unsafe to use the result of innerHTML save it in a database and serve again without using setHTML.

setHTML can't protect against bugs caused by the HTML code being parsed again (mXSS)

Do you have any supporting links, references, or citations?

https://wicg.github.io/sanitizer-api/#mutated-xss

Do you have anything more you want to share?

No response

コントリビューターガイド

技術スタック
javascripthtml
領域
documentation
Issue 種別
documentation
難度新しい貢献者にとっての実装難度です。1 は非常に小さな変更、5 は専門的な作業です。
2
推定時間経験ある貢献者が調査、実装、テスト、pull request 準備にかけるおおよその時間範囲です。
1-3 hours
活動状況Issue が今どれだけ取り組みやすいかを示します。新しい、活発、古い、ブロック中、またはメンテナー入力待ちなどです。
active
明確さ期待される変更、受け入れ条件、次の手順がどれだけ明確かを示します。
clear
前提条件
なし
初心者向け度初回貢献者にどれだけ取り組みやすいかを 1-100 で推定したスコアです。
80
調査方針
The issue requests adding a warning about mXSS when re parsing HTML set via setHTML(). The relevant page is https://developer.mozilla.org/en US/docs/Web/API/Element/setHTML. The spec reference is https://wicg.github.io/sanitizer api/#mutated xss. Suggested change: add a note that using innerHTML on parsed content or storing it for later use without re sanitizing is unsafe. No code changes needed.