[webkit-dev] innerStaticHTML
Adam Barth
abarth at webkit.org
Tue Nov 24 22:37:23 PST 2009
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak <mjs at apple.com> wrote:
> On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
>> In the below message to the WHATWG, Ian suggests that vendors
>> experiment with an API that makes it easier for web developers to
>> programmatically add static HTML content to their pages without XSSing
>> themselves:
>>
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
>>
>> I think we should do as he recommends. If no one objects, I'll add
>> this to my list of things to work on.
>
> I think innerStaticHTML is a good idea. Is there also a use case for the
> "static" equivalent of insertAdjacentHTML()?
I think we should experiment with the minimal API that seems useful.
If the experiment is a success, we can scale it up.
Michal suggested to me off-list and another possibility is to have an
API that works like this:
var jail = document.createElement("jail");
document.getElementById("foo");
jail.innerHTML = untrusted_string;
We could do something similar with attributes:
var jail = document.getElementById("foo");
jail.setAttribute("sandbox", "yes-please");
jail.innerHTML = untrusted_string;
One of the nice things about using a DOM API is we don't have to worry
about crazy parsing issues.
Adam
More information about the webkit-dev
mailing list