[webkit-dev] innerStaticHTML

Maciej Stachowiak mjs at apple.com
Tue Nov 24 23:21:14 PST 2009


On Nov 24, 2009, at 10:37 PM, Adam Barth wrote:

> On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak <mjs at apple.com>  
> wrote:
>> On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
>>> In the below message to the WHATWG, Ian suggests that vendors
>>> experiment with an API that makes it easier for web developers to
>>> programmatically add static HTML content to their pages without  
>>> XSSing
>>> themselves:
>>>
>>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
>>>
>>> I think we should do as he recommends.  If no one objects, I'll add
>>> this to my list of things to work on.
>>
>> I think innerStaticHTML is a good idea. Is there also a use case  
>> for the
>> "static" equivalent of insertAdjacentHTML()?
>
> I think we should experiment with the minimal API that seems useful.
> If the experiment is a success, we can scale it up.
>
> Michal suggested to me off-list and another possibility is to have an
> API that works like this:
>
> var jail = document.createElement("jail");
> document.getElementById("foo");
> jail.innerHTML = untrusted_string;
>
> We could do something similar with attributes:
>
> var jail = document.getElementById("foo");
> jail.setAttribute("sandbox", "yes-please");
> jail.innerHTML = untrusted_string;
>
> One of the nice things about using a DOM API is we don't have to worry
> about crazy parsing issues.

If we tie it to an element or attribute, people may be tempted to just  
do it in markup, which would be insecure.

Regards,
Maciej




More information about the webkit-dev mailing list