The new `.setHTML()` method in JavaScript, part of the Sanitizer API, serves as a direct replacement for `.innerHTML()`, enhancing site security against XSS attacks. Mozilla’s branding aptly sums this up: [Goodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148](https://hacks.mozilla.org/2026/02/goodbye-innerhtml-hello-sethtml-stronger-xss-protection-in-firefox-148).
Listen to [Frederik Braun on ShopTalk](https://shoptalkshow.com/704/) where he dives deep into this topic, and check out a bonus blog post where he [demonstrates the method](https://frederikbraun.de/perfect-types-with-sethtml.html) to make only setHTML work, “essentially removing all DOM-XSS risks.”