Using innerHTML will expose the library to the possibility of cross site scripting and HTML injection, textContent will instead use string passed as-is without parsing it as HTML.
Note that textContent is the default behaviour of polymer.
cc @leogr that helped me discovering and fixing this issue.
Using
innerHTML
will expose the library to the possibility of cross site scripting and HTML injection,textContent
will instead use string passed as-is without parsing it as HTML. Note thattextContent
is the default behaviour of polymer.cc @leogr that helped me discovering and fixing this issue.