Closed Bug 443564 Opened 16 years ago Closed 6 years ago

Implement window.toStaticHTML


(Core :: DOM: Core & HTML, enhancement, P2)






(Reporter: c1541, Unassigned)


(Blocks 1 open bug)


(Keywords: sec-want, Whiteboard: [sg:want?])

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 

IE8 implements a new method called window.toStaticHTML which removes any potentially executable script constructs.
See for some brief details

Reproducible: Always
Blocks: xss
Ever confirmed: true
Version: unspecified → Trunk
Flags: wanted1.9.1?
> node.innerHTML = window.toStaticHTML(untrustedString);

This seems like a strange API, since it forces the browser to parse the HTML twice.  This is not only slow but also dangerous: a disagreement between the two parsers (or between a serializer and a parser) could introduce new XSS holes.  I'd rather see a function that parses a string into a safe DocumentFragment (to be used along with appendChild or insertBefore) or method similar to ".innerHTML=" that skips scripts.
Whiteboard: [sg:want?]
If we're going to do this "right" (and not just copy an API) how about:

  node.staticHTML = untrustedString
  var trustedString = node.staticHTML;

if we want to be even more specific we could state .staticInnerHTML - but considering that there is no alternative (unlike in IE - which as outerHTML) - just pure .staticHTML could be fine.
FWIW, if you guys are going to do something too, please bring it up in the W3C/WHATWG.
Blake, you interested in looking at what it would take to get the parser to play nice in a model like this one? Not critical, but would be a nice feature to include in 1.9.1.
Assignee: nobody → mrbkap
Flags: wanted1.9.1? → wanted1.9.1+
Priority: -- → P2
We already have an API that produces "static" HTML:

Wonder how close these things are.
Assignee: mrbkap → nobody
Blocks: WBGP
Closing as INVALID. If this is still desired it needs to be standardized first. We'll then reconsider it.
Closed: 6 years ago
Resolution: --- → INVALID
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.