React.js: Set innerHTML vs dangerouslySetInnerHTML

react dangerouslysetinnerhtml example
dangerouslysetinnerhtml alternative
dangerouslysetinnerhtml react component
dangerouslysetinnerhtml script tag
dangerouslysetinnerhtml react native
how to use dangerouslysetinnerhtml
safely set innerhtml
react style attribute

Is there any "behind the scenes" difference from setting an element's innerHTML vs setting the dangerouslySetInnerHTML property on an element? Assume I'm properly sanitizing things for the sake of simplicity.

Example:

var test = React.createClass({
  render: function(){
    return (
      <div contentEditable='true' dangerouslySetInnerHTML={{ __html: "Hello" }}></div>
    );
  }
});

vs

var test = React.createClass({
  componentDidUpdate: function(prevProp, prevState){
    this.refs.test.innerHTML = "Hello";
  },
  render: function(){
    return (
      <div contentEditable='true' ref='test'></div>
    );
  }
});

I'm doing something a bit more complicated than the above example, but the overall idea is the same

Yes there is a difference!

The immediate effect of using innerHTML versus dangerouslySetInnerHTML is identical -- the DOM node will update with the injected HTML.

However, behind the scenes when you use dangerouslySetInnerHTML it lets React know that the HTML inside of that component is not something it cares about.

Because React uses a virtual DOM, when it goes to compare the diff against the actual DOM, it can straight up bypass checking the children of that node because it knows the HTML is coming from another source. So there's performance gains.

More importantly, if you simply use innerHTML, React has no way to know the DOM node has been modified. The next time the render function is called, React will overwrite the content that was manually injected with what it thinks the correct state of that DOM node should be.

Your solution to use componentDidUpdate to always ensure the content is in sync I believe would work but there might be a flash during each render.

DOM Elements – React, In React, all DOM properties and attributes (including event handlers) should be To specify a CSS class, use the className attribute. dangerouslySetInnerHTML is React's replacement for using innerHTML in the browser DOM. In general Since for is a reserved word in JavaScript, React elements use htmlFor instead. eTour.com is the newest place to search, delivering top results from across the web. Content updated daily for react js development company.

Based on (dangerouslySetInnerHTML).

It's a prop that does exactly what you want. However they name it to convey that it should be use with caution

Dangerously Set innerHTML, The prop name dangerouslySetInnerHTML is intentionally chosen to be frightening, and the prop value (an object instead of a string) can be used to indicate  Find Learn React Js Discover More At Faqtoids. Learn React Js

According to Dangerously Set innerHTML,

Improper use of the innerHTML can open you up to a cross-site scripting (XSS) attack. Sanitizing user input for display is notoriously error-prone, and failure to properly sanitize is one of the leading causes of web vulnerabilities on the internet.

Our design philosophy is that it should be "easy" to make things safe, and developers should explicitly state their intent when performing "unsafe" operations. The prop name dangerouslySetInnerHTML is intentionally chosen to be frightening, and the prop value (an object instead of a string) can be used to indicate sanitized data.

After fully understanding the security ramifications and properly sanitizing the data, create a new object containing only the key __html and your sanitized data as the value. Here is an example using the JSX syntax:

function createMarkup() {
    return {
       __html: 'First &middot; Second'    };
 }; 

<div dangerouslySetInnerHTML={createMarkup()} /> 

Read more about it using below link:

documentation: React DOM Elements - dangerouslySetInnerHTML.

An alternative to dangerously set innerHTML, “An alternative to dangerously set innerHTML” is published by remarkablemark. In most situations, dangerouslySetInnerHTML should suffice: So dangerous. But are there any other alternatives? There are, and one of them is called html-​react-parser. Setup a Next.js app with TypeScript and Chakra UI. dangerouslySetInnerHTML . dangerouslySetInnerHTML is React’s replacement for using innerHTML in the browser DOM. In general, setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.

What Is DangerouslySetInnerHTML? - Better Programming, This means that if in React if you have to set HTML programmatically or from an external source, instead of traditional innerHTML in Javascript. You just have to use it using dot notation with the DOM element and pass the  L'effetto immediato di utilizzare innerHTML rispetto a dangerouslySetInnerHTML innerHTML è identico – il nodo DOM verrà aggiornato con l'HTML iniettato. Tuttavia, dietro le quinte quando si utilizza dangerouslySetInnerHTML consente a React di sapere che l'HTML all'interno di quel componente non è qualcosa di cui si preoccupa.

How to Dangerously Set innerHTML in React, An illustration of how to set HTML programmatically or from an external source in React using August 09, 2019/ReactJS It allows you to set HTML directly from React by using dangerouslySetInnerHTML and passing an object with a __html  In general, setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack. So, you can set HTML directly from React, but you have to type out dangerouslySetInnerHTML and pass an object with a __html key, to remind yourself that it’s dangerous.

innerHTML prop for a React DOM element should not , React Warning: Directly setting property innerHTML is not permitted. For more information, lookup documentation on dangerouslySetInnerHTML . Was this  Dangerously Set innerHTML Improper use of the innerHTML can open you up to a cross-site scripting (XSS) attack. Sanitizing user input for display is notoriously error-prone, and failure to properly sanitize is one of the leading causes of web vulnerabilities on the internet.

Comments
  • I wrote a small, non-scientific perf test to show the difference between inlining an SVG and using dangerouslySetInnerHTML: webpackbin.com/bins/-KepHa-AMxQgGxOUnAac - tuns out the innerHTML method is almost twice as fast (see console in the webpackbin)
  • That's true and easy to predict. Since innerHTML is a native method that binds the SVG code directly to the DOM without considering anything. On the other hand, dangerouslySetInnerHTML is the method come from React that the SVG code has to be parsed as React Component children in prior to put them to virtual DOM and then render to the DOM.
  • well according to docs it seems this is the only reason, still confused
  • This doesn't answer the question.