User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9) Gecko/2008052906 Firefox/3.0 Build Identifier: IE8 implements a new method called window.toStaticHTML which removes any potentially executable script constructs. See http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx for some brief details Reproducible: Always
> node.innerHTML = window.toStaticHTML(untrustedString); This seems like a strange API, since it forces the browser to parse the HTML twice. This is not only slow but also dangerous: a disagreement between the two parsers (or between a serializer and a parser) could introduce new XSS holes. I'd rather see a function that parses a string into a safe DocumentFragment (to be used along with appendChild or insertBefore) or method similar to ".innerHTML=" that skips scripts.
If we're going to do this "right" (and not just copy an API) how about: node.staticHTML = untrustedString var trustedString = node.staticHTML; if we want to be even more specific we could state .staticInnerHTML - but considering that there is no alternative (unlike in IE - which as outerHTML) - just pure .staticHTML could be fine.
FWIW, if you guys are going to do something too, please bring it up in the W3C/WHATWG.
Blake, you interested in looking at what it would take to get the parser to play nice in a model like this one? Not critical, but would be a nice feature to include in 1.9.1.
We already have an API that produces "static" HTML: http://mxr.mozilla.org/mozilla-central/search?string=paranoidfragment Wonder how close these things are.
WhatWG and WebKit security people have discussed "innerStaticHTML": http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html http://firstname.lastname@example.org/msg09115.html