[whatwg] innerStaticHTML
Robert O'Callahan
robert at ocallahan.org
Wed May 6 14:01:29 PDT 2009
On Wed, May 6, 2009 at 9:40 AM, João Eiras <joaoe at opera.com> wrote:
> As part of a browser implementation team I can clearly say that the cases
> where scripts should, or should not run are very hard to implement in a
> cross browser compatible way. Marking those scripts or plugins are
> non-executable would make everything much more complex and bug prone. Also,
> it would be impossible to do that for a onevent attribute without all sorts
> of problems.
> The suggestion of marking content as non-executable doesn't solve anything,
> because after setting innerStaticHTML another script might serialize a piece
> of the affected DOM to string and back to a tree, and the code could then
> execute, which would not be wanted.
>
> The only viable solution, from my point of view, would be for the UA to
> parse the string, and remove all untrusted content from the result tree
> before appending to the document.
> That would mean removing all onevent attributes, all scripts elements, all
> plugins, etc. Basically, letting the UA implement all the filtering.
>
I think that's actually what Adam is proposing. At least, it's what I had in
mind when we discussed it.
Rob
--
"He was pierced for our transgressions, he was crushed for our iniquities;
the punishment that brought us peace was upon him, and by his wounds we are
healed. We all, like sheep, have gone astray, each of us has turned to his
own way; and the LORD has laid on him the iniquity of us all." [Isaiah
53:5-6]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090506/c56ed9ca/attachment.htm>
More information about the whatwg
mailing list