Does Solid handle XSS and event cross-browser compatibility?

[Nick-Mazuk]

FIrst off, just found Solid and I'm very impressed by the speed and small bundle size—it's exactly the kind of framework I've been looking for for quite a while! Looking forward for using it in a few upcoming projects.

Just a couple questions:

• Does Solid automatically sanitize text to prevent XSS attacks?
• Does Solid standardize how browsers handle events (e.g., onChange works differently for input[type='file'] in Safari vs Chrome)?

React does both of these things. XSS, events. I know Solid isn't trying to replace React, and personally I like Solid's mental model better. It would just be to know this before diving head-first into Solid.

Thanks!

[ryansolid]

In terms of XSS, Solid sets all body text using textContent or textNode.data. It hasn't been particularly focus mind you since these are good because they are highly performant. That covers the main cases like <script/> tag injection.

It's probably worth me doing an audit since I've never done so. I did try all the attribute examples in the document and they seem to be fine. But I imagine that is more based on the browser than anything I'm doing. So I will take a look at what Preact does. There may be some cases I haven't protected against.

In terms of SSR I do escape all strings and inputs in body and attributes.

For events the answer is no. I followed the lead of Preact etc and am doing nothing special to normalize events. There is a system of partial event delegation but it isn't for standardization but rather performance and some advanced features like Portals and Progressive Hydration.

[Nick-Mazuk]

Thanks for the detailed answer, @ryansolid!