W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: Sanatising HTML content through sandboxing

From: Henri Sivonen <hsivonen@iki.fi>
Date: Thu, 10 Nov 2011 16:06:00 +0200
Message-ID: <CAJQvAudUyYT=1k-1SdZPBQ3gHRTjHtf5=oOwoRDNPswmYm-6uQ@mail.gmail.com>
To: public-webapps@w3.org
On Wed, Nov 9, 2011 at 9:54 AM, Adam Barth <w3c@adambarth.com> wrote:
> Also, a div doesn't represent a security boundary.  It's difficult to
> sandbox something unless you have a security boundary around it.
> IMHO, an easy way to solve this problem is to just exposes an
> HTMLParser object, analogous to DOMParser, which folks can use to
> safely parse HTML,

DOMParser.parseFromString already takes a content type as the second
argument. The plan is to support HTML parsing when the second argument
is text/html.

> e.g., from XMLHttpRequest.

XMLHttpRequest Level 2 has built-in support for HTML parsing. No need
to first get responseText and then pass it to something else.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Thursday, 10 November 2011 14:06:37 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:48 GMT