innerHTML Application

Blank's blog: http://www.planabc.net/
The use of the innerHTML property is very popular because it provides an easy way to completely replace the contents of an HTML element. Another approach is to use the DOM Level 2 API (removeChild, createElement, appendChild). But it is obvious that using innerHTML to modify the DOM tree is a very easy and effective method. However, you need to be aware that innerHTML has some issues of its own:

When an HTML string contains a script tag marked as defer (<script defer>…</script>), a script injection attack can occur on Internet Explorer if the innerHTML attribute is not handled properly. Setting innerHTML will destroy existing HTML elements that have event handlers registered, potentially causing memory leaks on some browsers.
There are a few other minor drawbacks that are worth mentioning:

You can't get references to elements you've just created, you need to manually add code to get those references (using DOM APIs). You cannot set the innerHTML property on all HTML elements in all browsers (for example, Internet Explorer does not allow you to set the innerHTML property on table row elements).
I am more concerned about the security and memory issues associated with using the innerHTML property. Obviously, these are not new problems, and there are already smart people who have figured out ways around some of these issues.
Douglas Crockford wrote a cleanup function that is responsible for breaking some circular references caused by event handlers registered with HTML elements and allowing the garbage collector to free the memory associated with these HTML elements.
Removing script tags from an HTML string is not as easy as it seems. A regular expression may do what you expect, although it is hard to know whether all possibilities are covered. Here is my solution:
/<script[^>]*>[\S\s]*?<\/script[^>]*>/ig
Now, let's combine these two techniques into a single setInnerHTML function and bind the setInnerHTML function to YUI's YAHOO.util.Dom:
YAHOO.util.Dom.setInnerHTML = function (el, html) {
el = YAHOO.util.Dom.get(el);
if (!el || typeof html !== 'string') {
return null;
}
// Break the circular reference
(function (o) {
var a = o.attributes, i, l, n, c;
if (a) {
l = a.length;
for (i = 0; i < l; i = 1) {
n = a[i].name;
if (typeof o[n] === 'function') {
o[n] = null;
}
}
}
a = o.childNodes;
if (a) {
l = a.length;
for (i = 0; i < l; i = 1) {
c = o.childNodes[i];
// Clear child nodes
arguments.callee(c);
// Remove all listeners registered on the element through YUI's addListener
YAHOO.util.Event.purgeElement(c);
}
}
})(el);
// Remove the script from the HTML string and set the innerHTML property
el.innerHTML = html.replace(/<script[^>]*>[\S\s]*?<\/script[^>]*>/ig, "");
// Return a reference to the first child node
return el.firstChild;
};
If there is anything else this function should have or if I'm missing something in the regex, please let me know.
Obviously, there are many other ways to inject malicious code on a web page. The setInnerHTML function normalizes the execution behavior of <script> tags on all A-grade browsers only. If you plan to inject untrusted HTML code, make sure to filter it on the server first. There are many libraries that can do this.
Original article: The Problem With innerHTML by Julien Lecomte

<<: How MySQL handles implicit default values

>>: Dockerfile implementation code when starting two processes in a docker container

Summary of MySQL slow log related knowledge

innerHTML Application

Summary of MySQL slow log related knowledge

Introduction to Computed Properties in Vue

HTML form tag usage learning tutorial

Ubuntu 16.04 64-bit compatible with 32-bit programs in three steps

When should a website place ads?

Detailed explanation of zabbix executing scripts or instructions on remote hosts

How to create a scroll bar with fixed navigation and left and right sliding using CSS

JavaScript Canvas draws dynamic wireframe effect

Detailed explanation of the process of deploying SpringBoot project through Docker plug-in in IDEA

Detailed explanation of Nodejs array queue and forEach application

Recommend

List of commonly used escape codes for HTML greater than, less than, spaces, quotation marks, etc.

Detailed installation process of MySQL 8.0 Windows zip package version

How to use Docker Swarm to build WordPress

Nexus private server construction principle and tutorial analysis

CentOS 8 custom directory installation nginx (tutorial details)

Detailed explanation of Docker's most commonly used image commands and container commands

Introduction and examples of hidden fields in HTML

Detailed explanation of Excel parsing and exporting based on Vue

Detailed explanation of styles in uni-app

A brief discussion on VUE uni-app custom components

Implementation of nested jump of vue routing view router-view

Solution to 1045 error when navicat connects to mysql

Using css-loader to implement css module in vue-cli

Detailed analysis of the MySQL slow log opening method and storage format

Vue custom table column implementation process record