W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: A perfect DOM sandbox

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Tue, 15 Feb 2011 10:10:38 -0500
Message-ID: <4D5A976E.7020401@mit.edu>
To: gaz Heyes <gazheyes@gmail.com>
CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/15/11 5:06 AM, gaz Heyes wrote:
> I think you might be confused with sdc's naming conventions, "src"
> actually refers to the source code supplied not the url of the iframe.

And one more thing.  If you just want to have your HTML parsed in a 
context in which scripts won't execute, you can simply createDocument a 
document via the DOMImplementation and then set innerHTML in there...

As you point out in your later mail, none of this helps if you want to 
import those nodes into another document and then show them to the user, 
since at that point event handler attributes will start working.

-Boris
Received on Tuesday, 15 February 2011 16:45:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 15 February 2011 16:46:23 GMT