Closed
Bug 443564
Opened 17 years ago
Closed 7 years ago
Implement window.toStaticHTML
Categories
(Core :: DOM: Core & HTML, enhancement, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
INVALID
People
(Reporter: c1541, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: sec-want, Whiteboard: [sg:want?])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0
Build Identifier:
IE8 implements a new method called window.toStaticHTML which removes any potentially executable script constructs.
See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx for some brief details
Reproducible: Always
Updated•17 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → Trunk
Updated•17 years ago
|
Flags: wanted1.9.1?
Comment 1•17 years ago
|
||
> node.innerHTML = window.toStaticHTML(untrustedString);
This seems like a strange API, since it forces the browser to parse the HTML twice. This is not only slow but also dangerous: a disagreement between the two parsers (or between a serializer and a parser) could introduce new XSS holes. I'd rather see a function that parses a string into a safe DocumentFragment (to be used along with appendChild or insertBefore) or method similar to ".innerHTML=" that skips scripts.
Whiteboard: [sg:want?]
Comment 2•17 years ago
|
||
If we're going to do this "right" (and not just copy an API) how about:
node.staticHTML = untrustedString
var trustedString = node.staticHTML;
if we want to be even more specific we could state .staticInnerHTML - but considering that there is no alternative (unlike in IE - which as outerHTML) - just pure .staticHTML could be fine.
Comment 3•17 years ago
|
||
FWIW, if you guys are going to do something too, please bring it up in the W3C/WHATWG.
Comment 4•17 years ago
|
||
Blake, you interested in looking at what it would take to get the parser to play nice in a model like this one? Not critical, but would be a nice feature to include in 1.9.1.
Assignee: nobody → mrbkap
Flags: wanted1.9.1? → wanted1.9.1+
Priority: -- → P2
Comment 5•16 years ago
|
||
We already have an API that produces "static" HTML:
http://mxr.mozilla.org/mozilla-central/search?string=paranoidfragment
Wonder how close these things are.
Updated•15 years ago
|
Assignee: mrbkap → nobody
Comment 6•14 years ago
|
||
WhatWG and WebKit security people have discussed "innerStaticHTML":
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
http://www.mail-archive.com/webkit-dev@lists.webkit.org/msg09115.html
Comment 7•7 years ago
|
||
Closing as INVALID. If this is still desired it needs to be standardized first. We'll then reconsider it.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•