mdn/content

setHTML() / Sanitizer explictly call out that re-parsing (mXSS) is still a danger

Open

#43,386 建立於 2026年3月9日

在 GitHub 查看
 (2 留言) (0 反應) (0 負責人)Markdown (8,900 star) (22,427 fork)batch import
Content:WebAPIhelp wanted

描述

MDN URL

https://developer.mozilla.org/en-US/docs/Web/API/Element/setHTML

What specific section or headline is this issue about?

No response

What information was incorrect, unhelpful, or incomplete?

Nothing

What did you expect to see?

I think we should try to explain that it's unsafe to something like this:

div.setHTML(code);
other_div.innerHTML = div.innerHTML

It's also unsafe to use the result of innerHTML save it in a database and serve again without using setHTML.

setHTML can't protect against bugs caused by the HTML code being parsed again (mXSS)

Do you have any supporting links, references, or citations?

https://wicg.github.io/sanitizer-api/#mutated-xss

Do you have anything more you want to share?

No response

貢獻者指南

技術棧
javascripthtml
領域
documentation
議題類型
documentation
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
2
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
1-3 hours
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
active
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
80
研究方向
The issue requests adding a warning about mXSS when re parsing HTML set via setHTML(). The relevant page is https://developer.mozilla.org/en US/docs/Web/API/Element/setHTML. The spec reference is https://wicg.github.io/sanitizer api/#mutated xss. Suggested change: add a note that using innerHTML on parsed content or storing it for later use without re sanitizing is unsafe. No code changes needed.
setHTML() / Sanitizer explictly call out that re-parsing (mXSS) is still a danger · mdn/content#43386 | Good First Issue