The downside of a new method is that it leaves innerHtml as a source of future security issues.
You can disable it for your site using a trusted types content security policy.
Readit Newsrictic commented on Why the Sanitizer API is just `setHTML()` frederikbraun.de/why-seth... · Posted by u/birdculture
rictic commented on How/why to sweep async tasks under a Postgres table taylor.town/pg-task... · Posted by u/ostler
Missing from the article: how to communicate progress and failure to the user?
This is much more complicated with task queues. Doable still! But often skipped, because it's tempting to imagine that the backend will just handle the failure by retrying. But there are lots of kinds of failure that can happen.
The recipient's server doesn't accept the email. The recipient's domain name expired. Actually, we don't have an email address for that recipient at all.
The user has seen "got it, will do, don't worry about it" but if that email is time sensitive, they might want to know that it hasn't been sent yet, and maybe they should place a phone call instead.
> This element does not announce itself as an interactive element to screen reader users
Are you sure? Screen readers should be able to detect a div with a onclick as interactable, no? And if they can’t, that seems like an exceedingly simple fix. I’d be shocked if they can’t already detect onclick.
A click handler can be doing a lot of things that aren't much like a button, like letting you close a modal if you click outside of it, capturing mouse events for a game, or passively recording events for analytics. All that a click handler tells you is that there's some code that sometimes cares about some clicks somewhere inside that element.
rictic commented on Element: setHTML() method developer.mozilla.org/en-... · Posted by u/todsacerdoti
Maybe it is then time for having something that is beyond "use strict" at the beginning auf a JavaScript document as one option to use the statement.
I think a config object in which you define for script options like sanitization and other script configuration might be helpful.
After all, there almost always need to be backward compatibility be ensured, and this might work. I am no spec guy, it is just an idea. React makes use of "use client/server", so this would be more central and explicit.
A somewhat related spec, at the page level rather than the module level, are Content Security Policies, which let a page disable various unsafe browser features for a page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CSP
One of my favorite features in there is trusted types enforcement: https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Typ...
Lets you create your own API for what code is allowed to create arbitrary, potentially unsafe HTML at runtime, so you can allow secure templating systems but disallow code that just concats strings together naively.
rictic commented on Element: setHTML() method developer.mozilla.org/en-... · Posted by u/todsacerdoti
But it breaks an abstraction. Sometimes you just want to take working HTML and insert it into a document. It will be painful if suddenly this does not work, and you have to dig into the documentation to see why.
It is also painful when your app gets hacked, accounts get taken over and abused, user data is compromised, and so on. For serious sites it's worth the pain to turn on security enforcement features.
rictic commented on JSON River – Parse JSON incrementally as it streams in github.com/rictic/jsonriv... · Posted by u/rickcarlino
Please consider it a feature request
For anyone else following along, see https://github.com/rictic/jsonriver/issues/39
For anyone else curious WTH “invisible code” is…
> invisible Unicode characters that make malicious code literally disappear from code editors.
So, they have a custom decode function that extracts info from unprinted characters which they then pass to `eval`. This article is trying to make this seem way fancier than it is. Maybe GitHub or `git diff` don't give a sense of how many bits of info are in the unicode string, but the far scarier bit of code is the `eval(atob(decodedString))` at the bottom. If your security practices don't flag that, either at code review, lint, or runtime then you're in trouble.
Not to say that you can't make innocuous looking code into a moral equivalent of eval, but giving this a fancy name like Glassworm doesn't seem warranted on that basis.
rictic commented on JSON River – Parse JSON incrementally as it streams in github.com/rictic/jsonriv... · Posted by u/rickcarlino
rictic commented on JSON River – Parse JSON incrementally as it streams in github.com/rictic/jsonriv... · Posted by u/rickcarlino
I want to ditch stream-json so hard (needs polyfills in browser, cumbersome to use), but I need only one feature: invoke callback by path (e.g. `user.posts` need to invoke for each post in array) only for complete objects. Is this something that json river can support?
jsonriver's invariants do give you enough info to notice which values are and aren't complete. They also mean that you can mutate the objects and arrays it returns to drop data that you don't care about.
There might be room for some helper functions in something like a 'jsonriver/helpers.js' module. I'll poke around at it.
rictic commented on JSON River – Parse JSON incrementally as it streams in github.com/rictic/jsonriv... · Posted by u/rickcarlino