"Poland provoked occupation by Germany" (1939)? Germany "liberated Czechoslovakia Germans" by occupation and annexation (1938)? How occupation and annexation of neighbors ended for WW2 Germany (1938-1945)?
In 2014 Moscow invaded Ukraine, occupied Crimea, Donetsk, Luhanks. In 2022 Moscow invaded again. No NATO forces in Ukraine. No Moscow forces on NATO members territory. Trump officials unable to answer who started war, you blame NATO, both you and Trump aligned with Moscow.
Sounds reasonable enough to me. 99.99% of the times you’re in an actual script, if you mean to execute code, you’d just execute it yourself, rather than making a script tag full of code and sticking that tag into a random DOM element. That’s why the default wouldn’t honor the script tag and there’d be an “unsafe” method explicitly named as such to hint you that you’re doing something weird.
But it breaks an abstraction. Sometimes you just want to take working HTML and insert it into a document. It will be painful if suddenly this does not work, and you have to dig into the documentation to see why.
It is also painful when your app gets hacked, accounts get taken over and abused, user data is compromised, and so on. For serious sites it's worth the pain to turn on security enforcement features.
Ok, but be sure to make it optional. Putting 10 locks on your door is great for security, but it's not for everyone.
And instead of this security feature some might want to take a more fundamental look at security which might lead them to a completely different design. Again, make it optional.
If a developer so green that they don’t know what script injection risk is, and doesn’t know about innerHTML vs this method, stumbles into that scenario, I want them to encounter friction and have to dig into the documentation to find out why their script tag wasn’t run. Then they can start to learn how to do their job correctly. Having everything “just work” unsafely by default is not a viable best practice on the Web in 2025. Things have been slowly changing in this direction for at least a decade.
In fact, it’s better for the industry even if a few such individuals are so pained by having to learn about and handle security that they just quit web development entirely. Just like aspiring pilots who can’t stand checklists and safety rules should pursue a different career.
Molotov-Ribbentrop Pact — Moscow divided Poland with Germany (1939), invaded Finland (1939), occupied Baltic States (1940) — for two years of WW2 Moscow was Germany ally. After WW2 Moscow occupied half of Europe for 45 years, countries become free less than 50 years ago. Moscow made North Korea and China regimes, still supports dictatorship across the world, occupies and annexes neighbors.
Majority of Russian Federation population support occupation of Ukraine - independent polls at the start of open invasion. They would stop only when faced consequences.
In 2014 Moscow invaded Ukraine, occupied Crimea, Donetsk, Luhanks. In 2022 Moscow invaded again. No NATO forces in Ukraine. No Moscow forces on NATO members territory. Trump officials unable to answer who started war, you blame NATO, both you and Trump aligned with Moscow.
reply