[whatwg] innerStaticHTML

Philip Taylor excors+whatwg at gmail.com
Wed May 6 09:56:40 PDT 2009

On Wed, May 6, 2009 at 5:31 PM, Adam Barth <whatwg at adambarth.com> wrote:
> I receive an untrusted string, for example a weather report or a
> Twitter status update, from postMessage or a cross-origin
> XMLHttpRequest, and I want to display its content to the user without
> getting XSSed.
> If the content is purely text (e.g., no images, styles, or
> hyperlinks), then I can create a text node containing the string and
> insert it into my page's DOM.  If the content is not purely text, I
> need to implement an XSS filter in JavaScript (which folks commonly
> screw up).

Could <iframe sandbox> work as a workaround?

    var iframe = document.createElement('iframe');
    iframe.sandbox = ''; // (um, I hope this is right? I'm guessing
any non-null/undefined value enables sandboxing, or something)
    iframe.seamless = true;
    iframe.src = 'data:text/html,'+encodeURIComponent(tweet);

Philip Taylor
excors at gmail.com

More information about the whatwg mailing list