[whatwg] innerStaticHTML
Philip Taylor
excors+whatwg at gmail.com
Wed May 6 09:56:40 PDT 2009
On Wed, May 6, 2009 at 5:31 PM, Adam Barth <whatwg at adambarth.com> wrote:
> USE CASE
>
> I receive an untrusted string, for example a weather report or a
> Twitter status update, from postMessage or a cross-origin
> XMLHttpRequest, and I want to display its content to the user without
> getting XSSed.
>
> WORKAROUNDS
>
> If the content is purely text (e.g., no images, styles, or
> hyperlinks), then I can create a text node containing the string and
> insert it into my page's DOM. If the content is not purely text, I
> need to implement an XSS filter in JavaScript (which folks commonly
> screw up).
Could <iframe sandbox> work as a workaround?
var iframe = document.createElement('iframe');
iframe.sandbox = ''; // (um, I hope this is right? I'm guessing
any non-null/undefined value enables sandboxing, or something)
iframe.seamless = true;
iframe.src = 'data:text/html,'+encodeURIComponent(tweet);
document.getElementById('whatwg_tweet').appendChild(iframe);
--
Philip Taylor
excors at gmail.com
More information about the whatwg
mailing list