Firefox for Web Developers @firefoxwebdevs@mastodon.social
Public

The Sanitizer API landed in Firefox 148, along with element.setHTML().

This lets you fully configure how HTML strings are cleaned as they're parsed.

hacks.mozilla.org/2026/02/good

Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148 – Mozilla Hacks - the Web developer blog

Cross-site scripting (XSS) remains one of the most prevalent vulnerabilities on the web. The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM. Firefox 148 is the first browser to ship this standardized security enhancing API, advancing a safer web for everyone. We expect other browsers to follow soon.

hacks.mozilla.org · Mozilla Hacks – the Web developer blog

0
0
1

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.social/ap/users/115667120638353806/statuses/116126037395713068 on your instance and quote it. (Note that quoting is not supported in Mastodon.)

洪 民憙 (Hong Minhee) :nonbinary: @hongminhee@hollo.social
Public

One thing I find a bit disappointing is that the Sanitizer API is [Exposed=Window] only, so there's no way to use it server-side in Node.js or Deno. A simple sanitize(html: string): string method would have been enough to retire a whole category of npm packages. The irony is that sanitizing untrusted HTML is arguably more common on the server—that's where you receive user input, store it, and render it back.

For now, server-side JavaScript still has to rely on DOMPurify (dragging jsdom along with it) or something like sanitize-html, each shipping its own HTML parser that may subtly disagree with how browsers actually parse markup—which is exactly the problem this API was supposed to solve.

https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148/

0
0
0