[whatwg] innerStaticHTML

[Tab Atkins Jr.]

On Wed, May 6, 2009 at 4:01 PM, Robert O'Callahan <robert at ocallahan.org> wrote:
> On Wed, May 6, 2009 at 9:40 AM, João Eiras <joaoe at opera.com> wrote:
>>
>> As part of a browser implementation team I can clearly say that the cases
>> where scripts should, or should not run are very hard to implement in a
>> cross browser compatible way. Marking those scripts or plugins are
>> non-executable would make everything much more complex and bug prone. Also,
>> it would be impossible to do that for a onevent attribute without all sorts
>> of problems.
>> The suggestion of marking content as non-executable doesn't solve
>> anything, because after setting innerStaticHTML another script might
>> serialize a piece of the affected DOM to string and back to a tree, and the
>> code could then execute, which would not be wanted.
>>
>> The only viable solution, from my point of view, would be for the UA to
>> parse the string, and remove all untrusted content from the result tree
>> before appending to the document.
>> That would mean removing all onevent attributes, all scripts elements, all
>> plugins, etc. Basically, letting the UA implement all the filtering.
>
>
> I think that's actually what Adam is proposing. At least, it's what I had in
> mind when we discussed it.

I'm in favor of this.  Browser-specified sanitizing, woo!

Obviously this doesn't replace the need for sandbox iframes (those are
still necessary for building a page using external html without
javascript), but it's a much easier solution for pretty much any
js-based sandbox-iframe situation.

~TJ