4 Matching Annotations
- Mar 2023
-
-
Pitfall #3: Misunderstanding What it Means to Dangerously Set
-
- Jun 2022
-
blog.logrocket.com blog.logrocket.com
-
```js import DOMPurify from 'dompurify'
const App = () => { const data =
lorem <b onmouseover="alert('mouseover');">ipsum</b>const sanitizedData = () => ({ __html: DOMPurify.sanitize(data) })return ( <div dangerouslySetInnerHTML={sanitizedData()} /> ); }
export default App; ```
-
- May 2022
-
developer.mozilla.org developer.mozilla.org
-
Differences from innerHTML Element.innerHTML returns HTML, as its name indicates. Sometimes people use innerHTML to retrieve or write text inside an element, but textContent has better performance because its value is not parsed as HTML. Moreover, using textContent can prevent XSS attacks.
-
Differences from innerText Don't get confused by the differences between Node.textContent and HTMLElement.innerText. Although the names seem similar, there are important differences: textContent gets the content of all elements, including <script> and <style> elements. In contrast, innerText only shows "human-readable" elements. textContent returns every element in the node. In contrast, innerText is aware of styling and won't return the text of "hidden" elements. Moreover, since innerText takes CSS styles into account, reading the value of innerText triggers a reflow to ensure up-to-date computed styles. (Reflows can be computationally expensive, and thus should be avoided when possible.) Both textContent and innerText remove child nodes when altered, but altering innerText in Internet Explorer (version 11 and below) also permanently destroys all descendant text nodes. It is impossible to insert the nodes again into any other element or into the same element after doing so.
-