[webkit-dev] innerStaticHTML

Adam Barth abarth at webkit.org
Tue Nov 24 22:37:23 PST 2009

On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
>> In the below message to the WHATWG, Ian suggests that vendors
>> experiment with an API that makes it easier for web developers to
>> programmatically add static HTML content to their pages without XSSing
>> themselves:
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
>> I think we should do as he recommends.  If no one objects, I'll add
>> this to my list of things to work on.
> I think innerStaticHTML is a good idea. Is there also a use case for the
> "static" equivalent of insertAdjacentHTML()?

I think we should experiment with the minimal API that seems useful.
If the experiment is a success, we can scale it up.

Michal suggested to me off-list and another possibility is to have an
API that works like this:

var jail = document.createElement("jail");
jail.innerHTML = untrusted_string;

We could do something similar with attributes:

var jail = document.getElementById("foo");
jail.setAttribute("sandbox", "yes-please");
jail.innerHTML = untrusted_string;

One of the nice things about using a DOM API is we don't have to worry
about crazy parsing issues.


More information about the webkit-dev mailing list