mdn/content

setHTML() / Sanitizer explictly call out that re-parsing (mXSS) is still a danger

Open

#43386 opened on Mar 9, 2026

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Markdown (8,900 stars) (22,427 forks)batch import
Content:WebAPIhelp wanted

Description

MDN URL

https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML

What specific section or headline is this issue about?

No response

What information was incorrect, unhelpful, or incomplete?

Nothing

What did you expect to see?

I think we should try to explain that it's unsafe to something like this:

div.setHTML(code);
other_div.innerHTML = div.innerHTML

It's also unsafe to use the result of innerHTML save it in a database and serve again without using setHTML.

setHTML can't protect against bugs caused by the HTML code being parsed again (mXSS)

Do you have any supporting links, references, or citations?

https://wicg.github.io/sanitizer-api/#mutated-xss

Do you have anything more you want to share?

No response

Contributor guide

Tech stack
javascripthtml
Domain
documentation
Issue type
documentation
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
active
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
None
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
80
Research direction
The issue requests adding a warning about mXSS when re parsing HTML set via setHTML(). The relevant page is https://developer.mozilla.org/en US/docs/Web/API/Element/setHTML. The spec reference is https://wicg.github.io/sanitizer api/#mutated xss. Suggested change: add a note that using innerHTML on parsed content or storing it for later use without re sanitizing is unsafe. No code changes needed.