Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I like the way react does it:

dangerouslySetInnerHTML={{__html: variable}}

Not only can you easily see every place in the code that is using this construct, but, the framework provides a warning.

I definitely don't think it's bad to sanitize HTML content. but in general MOST text in a web app should be just text, and rendered with whatever HTML it contains. In very few places should the web application give user rich-text (aka HTML) access. In any place that the application does that, sanitization should be used.



Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: