{"id":8902,"date":"2026-03-10T14:49:49","date_gmt":"2026-03-10T19:49:49","guid":{"rendered":"https:\/\/frontendmasters.com\/blog\/?p=8902"},"modified":"2026-03-10T14:49:50","modified_gmt":"2026-03-10T19:49:50","slug":"goodbye-innerhtml-hello-sethtml","status":"publish","type":"post","link":"https:\/\/frontendmasters.com\/blog\/goodbye-innerhtml-hello-sethtml\/","title":{"rendered":"Goodbye innerHTML, Hello setHTML"},"content":{"rendered":"\n<p>The new <code>.setHTML()<\/code> method in JavaScript, part of the Sanitizer API, can be a one-to-one replacement for <code>.innerHTML()<\/code>, making sites more secure from XSS attacks. I think that&#8217;s pitch-perfect feature branding from Mozilla on this: <a href=\"https:\/\/hacks.mozilla.org\/2026\/02\/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148\/\">Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148<\/a>.<\/p>\n\n\n\n<p>Listen to <a href=\"https:\/\/shoptalkshow.com\/704\/\">Frederik Braun go deep into this on ShopTalk<\/a> recently and a bonus blog post where he <a href=\"https:\/\/frederikbraun.de\/perfect-types-with-sethtml.html\">shows the recipe<\/a> to make <em>only<\/em> setHTML work &#8220;essentially removing all DOM-XSS risks&#8221;.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The new .setHTML() method in JavaScript, part of the Sanitizer API, can be a one-to-one replacement for .innerHTML(), making sites more secure from XSS attacks. I think that&#8217;s pitch-perfect feature branding from Mozilla on this: Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148. Listen to Frederik Braun go deep into this on ShopTalk [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":8907,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"sig_custom_text":"","sig_image_type":"featured-image","sig_custom_image":0,"sig_is_disabled":false,"inline_featured_image":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[29],"tags":[3,462,461],"class_list":["post-8902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-the-beat","tag-javascript","tag-sanitizer-api","tag-xss"],"acf":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/frontendmasters.com\/blog\/wp-content\/uploads\/2026\/03\/pexels-photo-5380673.jpeg?fit=1880%2C1253&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/posts\/8902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/comments?post=8902"}],"version-history":[{"count":1,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/posts\/8902\/revisions"}],"predecessor-version":[{"id":8908,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/posts\/8902\/revisions\/8908"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/media\/8907"}],"wp:attachment":[{"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/media?parent=8902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/categories?post=8902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/frontendmasters.com\/blog\/wp-json\/wp\/v2\/tags?post=8902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}