I think their thinking is that a “good secure” js framework will prevent a novice from making insecure mistakes like this.
I guess this makes sense since security is hard and when you are a novice, you may have never heard of XSS. On the other hand, binding to
innerHtml has its use cases (I used it once, don’t remember why exactly). So I guess we are back to the security vs features kind of dilemna.
I wonder if we could use a linter to detect binding to
innerHtml and display a security warning in these cases ? This could be a good compromise.