React: Language used in "Dangerously Set innerHTML" document is unclear

Created on 1 Jul 2016 · 4Comments · Source: facebook/react

The document Dangerously Set innerHTML states,

The intent behind the {__html:...} syntax is that it be considered a "type/taint" of sorts.

What is "type/taint"? Also, I'd like to recommend using language that doesn't rely on understanding this term, or at least to supplement it with a definition. Best not to create an opportunity for misunderstanding when explaining a security measure, lest the user draw his own conclusion about its importance.

Source

jacksonrayhamilton

Most helpful comment

We can certainly improve the language. We shouldn't expect everybody reading this to know what it is. Also the first Google result for "taint" is NSFW so let's not rely on people's ability to search correctly either. We can leave the term and clarify the intent.

zpao on 1 Jul 2016

😄9

All 4 comments

Hmm, https://en.wikipedia.org/wiki/Taint_checking

taint (and taint tracking/checking) is a super common concept in the security community. Furthermore, if you don't know what it means, you can just ignore that sentence and follow the practice recommended/described on the page, and you're good-to-go. So we're not "relying" no a user's understanding of the term, but the term is super helpful and descriptive to anyone who does know what it means.

I think we certainly want to leave the term there. It's not immediately clear to me how we can make the documentation better, without directly defining the term (we don't want to get into the habit of defining every term on every page because it makes the documentation far too verbose and cluttered; if people don't know a word, they can always look it up).