<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Would like a way to prevent user-controlled markup from breaking out of an element"
href="https://bugs.webkit.org/show_bug.cgi?id=156626#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Would like a way to prevent user-controlled markup from breaking out of an element"
href="https://bugs.webkit.org/show_bug.cgi?id=156626">bug 156626</a>
from <span class="vcard"><a class="email" href="mailto:aroben@webkit.org" title="Adam Roben (:aroben) <aroben@webkit.org>"> <span class="fn">Adam Roben (:aroben)</span></a>
</span></b>
<pre>Some strawman proposals:
<untrusted srcdoc="<p>HTML goes here</p>">
This is similar to <iframe srcdoc>. We'd of course have to ensure the attribute value does not contain any quotes on the server side.
<untrusted>
<p>HTML goes here</p>
</untrusted>
For this one to work, the parsing would need to be similar to <textarea> where it consumes all characters until the next instance of "</untrusted>". And of course we'd have to ensure to remove "</untrusted>" from the content itself on the server side.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>