Closed
Bug 443564
Opened 15 years ago
Closed 6 years ago
Implement window.toStaticHTML
Categories
(Core :: DOM: Core & HTML, enhancement, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
INVALID
People
(Reporter: c1541, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [sg:want?])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: IE8 implements a new method called window.toStaticHTML which removes any potentially executable script constructs. See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx for some brief details Reproducible: Always
|
||
Updated•15 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → Trunk
|
||
Updated•15 years ago
|
Flags: wanted1.9.1?
|
||
Comment 1•15 years ago
|
||
> node.innerHTML = window.toStaticHTML(untrustedString);
This seems like a strange API, since it forces the browser to parse the HTML twice. This is not only slow but also dangerous: a disagreement between the two parsers (or between a serializer and a parser) could introduce new XSS holes. I'd rather see a function that parses a string into a safe DocumentFragment (to be used along with appendChild or insertBefore) or method similar to ".innerHTML=" that skips scripts.Whiteboard: [sg:want?]
|
||
Comment 2•15 years ago
|
||
If we're going to do this "right" (and not just copy an API) how about: node.staticHTML = untrustedString var trustedString = node.staticHTML; if we want to be even more specific we could state .staticInnerHTML - but considering that there is no alternative (unlike in IE - which as outerHTML) - just pure .staticHTML could be fine.
|
||
Comment 3•15 years ago
|
||
FWIW, if you guys are going to do something too, please bring it up in the W3C/WHATWG.
|
||
Comment 4•15 years ago
|
||
Blake, you interested in looking at what it would take to get the parser to play nice in a model like this one? Not critical, but would be a nice feature to include in 1.9.1.
Assignee: nobody → mrbkap
Flags: wanted1.9.1? → wanted1.9.1+
Priority: -- → P2
|
||
Comment 5•15 years ago
|
||
We already have an API that produces "static" HTML: http://mxr.mozilla.org/mozilla-central/search?string=paranoidfragment Wonder how close these things are.
|
||
Updated•14 years ago
|
Assignee: mrbkap → nobody
|
|
||
Comment 6•13 years ago
|
||
WhatWG and WebKit security people have discussed "innerStaticHTML": http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg09115.html
|
|
||
Comment 7•6 years ago
|
||
Closing as INVALID. If this is still desired it needs to be standardized first. We'll then reconsider it.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
|
Assignee | |
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•