
Defensive JavaScript - octosphere
https://www.javascriptjanuary.com/blog/defensive-javascript
======
megous
Well, I do for JS what I do for SQL. I just don't concatenate strings to
create HTML code. No innerHTML, no nothing.

    
    
        let a = document.createElement('a');
        a.textContent = whateverText;
        a.href = whateverUrl; // XXX: check for schema
    

Done. You may need like one 60 line function to make this less verbose when
dealing with many elements. And you can forget about XSS, mostly.

You can even disable innerHTML and friends if you want assurances:

    
    
        Object.defineProperty(HTMLElement.prototype, 'innerHTML', {value: '', writable: false});

~~~
tracker1
Thanks, came in to say pretty much the same thing here.

------
the_duke
That's quite a lot of words for saying: "don't trust user input".

