> My plan would be: inject everything but external inputs using innerHTML > or insertAdjacentHTML
Isn't this a premature optimization? I should think that we should do the unquestionably-safe thing 99% of the time, and then use innerHTML only as a last resort when HTML parsing is a bottleneck. On Mon, Apr 8, 2013 at 9:33 AM, Julien Wajsberg <[email protected]> wrote: > Le 08/04/2013 15:29, Frederik Braun a écrit : >> On 08.04.2013 14:39, Julien Wajsberg wrote: >>> Hi, >>> >>> While I fully agree with you about the security problems of innerHTML, >>> I'm very surprised of the performance issues. It is widely assumed that >>> innerHTML (and his littke brother insertAdjacentHTML) is a lot faster >>> than traditional DOM methods. And it makes me sad. >>> >>> Also, your jsperf 3rd testcase fails and I don't really understand >>> why... I'd love to check the differences between your testcases :) >>> >> My bad, I played with some other revision than the ones that are >> currently available under the given URL. >> >> Let's agree on the security concerns instead: It worries me that there's >> no concerted approach to deal with user input in innerHTML assignments. > > My plan would be: inject everything but external inputs using innerHTML > or insertAdjacentHTML. Then use querySelector on the same node to get > the nodes where you want to inject user input, using textContent. > > This way we can get the speedyness of innerHTML but still use > textContent for untrusted input. > > Of course some input must be injected in HTML, and these ones must be > taken care of. And this is probably easier for the security team if > that's done only in a few places. > -- > Julien > > > _______________________________________________ > dev-b2g mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-b2g > _______________________________________________ dev-b2g mailing list [email protected] https://lists.mozilla.org/listinfo/dev-b2g
