Implement window.toStaticHTML

NEW
Unassigned

Status

()

Core
DOM
P2
enhancement
9 years ago
11 months ago

People

(Reporter: c1541, Unassigned)

Tracking

(Blocks: 1 bug, {sec-want})

Trunk
sec-want
Points:
---
Dependency tree / graph
Bug Flags:
wanted1.9.1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:want?])

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier: 

IE8 implements a new method called window.toStaticHTML which removes any potentially executable script constructs.
See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx for some brief details

Reproducible: Always

Updated

9 years ago
Blocks: 301375
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → Trunk
Flags: wanted1.9.1?

Comment 1

9 years ago
> node.innerHTML = window.toStaticHTML(untrustedString);

This seems like a strange API, since it forces the browser to parse the HTML twice.  This is not only slow but also dangerous: a disagreement between the two parsers (or between a serializer and a parser) could introduce new XSS holes.  I'd rather see a function that parses a string into a safe DocumentFragment (to be used along with appendChild or insertBefore) or method similar to ".innerHTML=" that skips scripts.
Whiteboard: [sg:want?]

Comment 2

9 years ago
If we're going to do this "right" (and not just copy an API) how about:

  node.staticHTML = untrustedString
  var trustedString = node.staticHTML;

if we want to be even more specific we could state .staticInnerHTML - but considering that there is no alternative (unlike in IE - which as outerHTML) - just pure .staticHTML could be fine.

Comment 3

9 years ago
FWIW, if you guys are going to do something too, please bring it up in the W3C/WHATWG.
Blake, you interested in looking at what it would take to get the parser to play nice in a model like this one? Not critical, but would be a nice feature to include in 1.9.1.
Assignee: nobody → mrbkap
Flags: wanted1.9.1? → wanted1.9.1+
Priority: -- → P2

Comment 5

9 years ago
We already have an API that produces "static" HTML:

http://mxr.mozilla.org/mozilla-central/search?string=paranoidfragment

Wonder how close these things are.

Updated

8 years ago
Assignee: mrbkap → nobody

Comment 6

7 years ago
WhatWG and WebKit security people have discussed "innerStaticHTML":
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg09115.html
Keywords: sec-want
Blocks: 933949
You need to log in before you can comment on or make changes to this bug.