Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

JavaScript JavaScript Loops, Arrays and Objects Tracking Multiple Items with Arrays Build a Quiz Challenge, Part 2

Immanuel Jaeggi
Immanuel Jaeggi
5,164 Points
Posted by Immanuel Jaeggi
Immanuel Jaeggi
5,164 Points

innerHTML...security risk?

I had to go to MDN to read up on innerHTML and its use, as this was introduced very briefly in the challenge and I'm barely starting to understand it.

Could you confirm what I understand, that when you use innerHTML you can actually control the HTML, make changes, even delete the entire content? If so,

  1. Why would you want to do that? Just going into my HTML file and making changes in there isn't ok?

  2. MDN states that..

' Warning: If your project is one that will undergo any form of security review, using innerHTML most likely will result in your code being rejected. For example, if you use innerHTML in a browser extension and submit the extension to addons.mozilla.org, it will not pass the automated review process. :O

So if this is true....what do I do?

1 Answer

Steven Parker
Steven Parker
230,995 Points
Steven Parker
Steven Parker
230,995 Points

Yes, it does give your script the ability to modify the element and/or delete it's contents. But this doesn't pose a security risk unless you what you modify it with is acquired as input from the user. Even so, there are ways to "sanitize" input so even that can be done safely. These are advanced topics you can persue when and if you need them.

Immanuel Jaeggi
Immanuel Jaeggi
5,164 Points
Immanuel Jaeggi
Immanuel Jaeggi
5,164 Points

MDN makes it sound like you really shouldn't use innerHTML, so maybe a quick example would help to clarify?

Steven Parker
Steven Parker
230,995 Points
Steven Parker
Steven Parker
230,995 Points

Something like this poses no risk, since the content is completely under the control of the script:

myDiv.innerHTML = "<h1>This is totally safe</h1>";