W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: Sanatising HTML content through sandboxing

From: Henri Sivonen <hsivonen@iki.fi>
Date: Thu, 10 Nov 2011 16:06:00 +0200
Message-ID: <CAJQvAudUyYT=1k-1SdZPBQ3gHRTjHtf5=oOwoRDNPswmYm-6uQ@mail.gmail.com>
To: public-webapps@w3.org
On Wed, Nov 9, 2011 at 9:54 AM, Adam Barth <w3c@adambarth.com> wrote:
> Also, a div doesn't represent a security boundary.  It's difficult to
> sandbox something unless you have a security boundary around it.
> IMHO, an easy way to solve this problem is to just exposes an
> HTMLParser object, analogous to DOMParser, which folks can use to
> safely parse HTML,

DOMParser.parseFromString already takes a content type as the second
argument. The plan is to support HTML parsing when the second argument
is text/html.

> e.g., from XMLHttpRequest.

XMLHttpRequest Level 2 has built-in support for HTML parsing. No need
to first get responseText and then pass it to something else.

Henri Sivonen
Received on Thursday, 10 November 2011 14:06:37 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:36 UTC