“The new standardized Sanitizer API provides a straightforward way for web developers to sanitize untrusted HTML before inserting it into the DOM.”
XSS has been on the OWASP top ten for two decades and innerHTML has been doing its part to keep it there. Firefox 148 ships setHTML(), a new DOM method backed by the Sanitizer API that strips dangerous scripts and attributes automatically before content hits the page. It’s what innerHTML should have been from the start. The spec is now a standard, Chromium already shipped it, and Safari is next. One fewer excuse to ship injection vulnerabilities.