December 10, 2025
Parse fights and footguns
Why the Sanitizer API is just `setHTML()`
Sanitizer = setHTML: One clean click for safer pages, but devs are fighting about it
TLDR: Browsers propose setHTML with built‑in cleaning to stop double‑parsing bugs that can morph user content into sneaky attacks. Comments split between cheering the simpler approach, calls to switch to strict XHTML, and warnings that old innerHTML will still tempt developers into risky code.
Browsers want to stop a sneaky web bug called “mutated XSS” — where the same snippet of user HTML gets read twice and changes shape — by making the Sanitizer API basically a safe version of setHTML. Instead of cleaning a string and then re-parsing it, the browser would insert and sanitize in the right place, once. That got the comments buzzing: brainbag says with proper context this proposal is far smarter than it sounds and could even replace third‑party libraries, pointing to WICG and WHATWG standards talk. Cobbal drops the slogan of the day: “parse, don’t parse‑serialize‑parse.”
Then the flame begins: nayuki wants the web to go full XHTML (the strict, XML version of HTML) so parsing is perfectly predictable — cue “2005 called” jokes and the eternal XML vs HTML war. On the other side, philipwhiuk worries the new method leaves old innerHTML as a booby trap, spawning memes like “ban innerHTML, make setHTML default.” Meanwhile, jamesbvaughan applauds the interactive “find the bug” exercise for turning a dry topic into edutainment. Will we see this ship and land on MDN and the spec? The crowd is split, but the drama is delicious.
Key Points
- •Traditional sanitizer usage parses HTML twice with differing contexts, enabling mutated XSS (mXSS).
- •mXSS arises from unstable and context-sensitive HTML parsing, causing input to change across parse/serialize cycles.
- •The proposed Sanitizer API uses context.setHTML(input, { sanitizer }) to avoid returning strings and second parsing.
- •The internal algorithm parses once with the correct context, sanitizes the fragment, and replaces context children.
- •Replacing innerHTML with setHTML provides equivalent insertion behavior with built-in sanitization to mitigate XSS.