Sounds reasonable enough to me. 99.99% of the times you’re in an actual script, if you mean to execute code, you’d just execute it yourself, rather than making a script tag full of code and sticking that tag into a random DOM element. That’s why the default wouldn’t honor the script tag and there’d be an “unsafe” method explicitly named as such to hint you that you’re doing something weird.
But it breaks an abstraction. Sometimes you just want to take working HTML and insert it into a document. It will be painful if suddenly this does not work, and you have to dig into the documentation to see why.
It is also painful when your app gets hacked, accounts get taken over and abused, user data is compromised, and so on. For serious sites it's worth the pain to turn on security enforcement features.
Ok, but be sure to make it optional. Putting 10 locks on your door is great for security, but it's not for everyone.
And instead of this security feature some might want to take a more fundamental look at security which might lead them to a completely different design. Again, make it optional.
If a developer so green that they don’t know what script injection risk is, and doesn’t know about innerHTML vs this method, stumbles into that scenario, I want them to encounter friction and have to dig into the documentation to find out why their script tag wasn’t run. Then they can start to learn how to do their job correctly. Having everything “just work” unsafely by default is not a viable best practice on the Web in 2025. Things have been slowly changing in this direction for at least a decade.
In fact, it’s better for the industry even if a few such individuals are so pained by having to learn about and handle security that they just quit web development entirely. Just like aspiring pilots who can’t stand checklists and safety rules should pursue a different career.
Molotov-Ribbentrop Pact — Moscow divided Poland with Germany (1939), invaded Finland (1939), occupied Baltic States (1940) — for two years of WW2 Moscow was Germany ally. After WW2 Moscow occupied half of Europe for 45 years, countries become free less than 50 years ago. Moscow made North Korea and China regimes, still supports dictatorship across the world, occupies and annexes neighbors.
Majority of Russian Federation population support occupation of Ukraine - independent polls at the start of open invasion. They would stop only when faced consequences.
No I claim Finland should not have been a NAZI ally.
There is no excuse and nothing will wash this part of history clean..
Oh and since we are counting dead:
The siege of Leningrad of which Finland was a part of:
>The siege became one of the longest and most destructive sieges in history, and it was possibly the costliest siege in history due to the number of casualties which were suffered throughout its duration. An estimated 1.5 million people died as a result of the siege.
Molotov-Ribbentrop pact — Moscow invaded Finland (1939), occupied Baltic states (1939), divided Poland with Germany (1939). Moscow was Germany ally for two years of WW2. Holodomor (1932-1933): Moscow killed millions without active war. "Great Britain, USA should not have been Moscow ally"?
Microsoft UWP only Microsoft Store. Microsoft backtracked their walled garden Windows plans for a while as result of Windows Phone fiasco.
Yes, we are.