From 371097fbca43e6ab95aacef3eb2956368f62aecd Mon Sep 17 00:00:00 2001 From: narasimhan-lakshmi Date: Sun, 3 May 2026 16:25:44 +0530 Subject: [PATCH 1/3] added mxss warning about re-parsing sanitized html --- files/en-us/web/api/element/sethtml/index.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/files/en-us/web/api/element/sethtml/index.md b/files/en-us/web/api/element/sethtml/index.md index 1d17fc44c40abc2..426132aa069d029 100644 --- a/files/en-us/web/api/element/sethtml/index.md +++ b/files/en-us/web/api/element/sethtml/index.md @@ -66,6 +66,25 @@ It should also be used instead of {{domxref("Element.setHTMLUnsafe()")}}, unless Note that since this method always sanitizes input strings of XSS-unsafe entities, it is not secured or validated using the [Trusted Types API](/en-US/docs/Web/API/Trusted_Types_API). +## Re-parsing and mutated XSS (mXSS) + +Sanitizing HTML with the Sanitizer API or using `Element.prototype.setHTML()` helps remove unsafe nodes and attributes, but it does not eliminate the risk of mutated XSS (mXSS) when the sanitized HTML is serialized and later re-parsed. If sanitized HTML is serialized (for example via `innerHTML`) and later re-parsed by the browser, parsing-time transformations can re-introduce executable content or attributes that the sanitizer did not anticipate. + +Example — unsafe flow + +```js +// `code` comes from an untrusted source +div.setHTML(code); // Sanitizer runs here +other_div.innerHTML = div.innerHTML; // Re-parsing `innerHTML` — can trigger mXSS +``` + +Recommendations + +- Avoid round-tripping sanitized `innerHTML` as a string. If you must persist markup, re-sanitize on every parse before insertion. +- Prefer structured, safe representations (for example, store content as sanitized fragments or a safe data model) instead of raw HTML strings. +- Use defensive headers and policies: Content Security Policy (CSP), Trusted Types, and server-side validation. +- See also the WICG discussion on mutated XSS: https://wicg.github.io/sanitizer-api/#mutated-xss + ## Examples ### Basic usage From bea991fcc0893a7b5d504947226db6a250f5f10b Mon Sep 17 00:00:00 2001 From: Lakshminarasimhan <137640490+narasimhan-lakshmi@users.noreply.github.com> Date: Sun, 3 May 2026 16:41:00 +0530 Subject: [PATCH 2/3] Update files/en-us/web/api/element/sethtml/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- files/en-us/web/api/element/sethtml/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/api/element/sethtml/index.md b/files/en-us/web/api/element/sethtml/index.md index 426132aa069d029..dccdd44ef7b6135 100644 --- a/files/en-us/web/api/element/sethtml/index.md +++ b/files/en-us/web/api/element/sethtml/index.md @@ -74,7 +74,7 @@ Example — unsafe flow ```js // `code` comes from an untrusted source -div.setHTML(code); // Sanitizer runs here +div.setHTML(code); // Sanitizer runs here other_div.innerHTML = div.innerHTML; // Re-parsing `innerHTML` — can trigger mXSS ``` From f7f18636fec4809560a99e78c267202501694e55 Mon Sep 17 00:00:00 2001 From: Lakshminarasimhan <137640490+narasimhan-lakshmi@users.noreply.github.com> Date: Mon, 4 May 2026 09:05:23 +0530 Subject: [PATCH 3/3] Update files/en-us/web/api/element/sethtml/index.md Co-authored-by: Hamish Willee --- files/en-us/web/api/element/sethtml/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/en-us/web/api/element/sethtml/index.md b/files/en-us/web/api/element/sethtml/index.md index dccdd44ef7b6135..c35b7cef653695e 100644 --- a/files/en-us/web/api/element/sethtml/index.md +++ b/files/en-us/web/api/element/sethtml/index.md @@ -68,7 +68,7 @@ Note that since this method always sanitizes input strings of XSS-unsafe entitie ## Re-parsing and mutated XSS (mXSS) -Sanitizing HTML with the Sanitizer API or using `Element.prototype.setHTML()` helps remove unsafe nodes and attributes, but it does not eliminate the risk of mutated XSS (mXSS) when the sanitized HTML is serialized and later re-parsed. If sanitized HTML is serialized (for example via `innerHTML`) and later re-parsed by the browser, parsing-time transformations can re-introduce executable content or attributes that the sanitizer did not anticipate. +Sanitizing HTML with the Sanitizer API or using `setHTML()` helps remove unsafe nodes and attributes, but it does not eliminate the risk of mutated XSS (mXSS) when the sanitized HTML is serialized and later re-parsed. If sanitized HTML is serialized (for example via `innerHTML`) and later re-parsed by the browser, parsing-time transformations can re-introduce executable content or attributes that the sanitizer did not anticipate. Example — unsafe flow