I’ve never understood dangerouslySetInnerHTML. Been working on the authoring/HTML rendering in Kitten and I’ve decided on the following model:
- Anything you interpolate into your templates is escaped. So you’re protected from script injection by default. (I’m a big fan of safe by default vs. blame after the fact.)
- To include HTML, you call safelyAddHtml(untrustedHtml) in your template. That sanitises it before adding.
Think I’m happy with that.
That's a very good way to think about it. In the chemical industry the concept was
Risk = f(Hazard, exposure) if your exposure control failed you got exposed to the full hazard, so you should concentrate on making processes inherently less hazardous.
You already seem to know that, but you seem like the sort to appreciate a good pseudo-equation.
@Homebrewandhacking Pseudo-equations FTW :)