Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148

Mozilla just shipped Firefox 148 with setHTML, a new way to insert “cleaned” HTML that strips out sneaky tricks before they can bite. Translation: less chance of those nasty website-injection hacks where attackers slip bad code into pages. It’s the first browser to ship the standardized Sanitizer API, and security folks are buzzing—but the comments section? On fire.

The hottest worry: confusion. One top voice fretted about “a mix of methods” where some functions safely handle user input and others don’t—without clear names to tell them apart. Another commenter dunked on the headline drama, calling it “deceptive” because innerHTML isn’t actually gone (sorry, it’s not a funeral—more like a curfew). The pragmatists chimed in with a reality check: don’t expect to rely on this everywhere yet—browser support still needs time to spread.

Fans celebrated the safer-by-default move, praising a path that doesn’t require a whole security team to avoid cross‑site scripting (XSS), the web’s long-time boogeyman. Meanwhile, the React crowd barged in asking if this changes the fate of the ominously named __dangerouslySetInnerHTML—cue the memes about renaming it to “kinda-saferSetHTML.”

Bottom line: setHTML promises cleaner HTML with fewer traps, and it can be tuned for stricter or looser rules, even pairing with other safeguards. But until every browser catches up—and devs settle on clear patterns—the web’s getting cleaner, while the comments stay deliciously messy.