[whatwg] innerStaticHTML from Philip Taylor on 2009-05-06 (public-whatwg-archive@w3.org from May 2009)

From: Philip Taylor <excors+whatwg@gmail.com>
Date: Wed, 6 May 2009 17:56:40 +0100
Message-ID: <ea09c0d10905060956u3b86d83aj82efbc3b1289f085@mail.gmail.com>

On Wed, May 6, 2009 at 5:31 PM, Adam Barth <whatwg at adambarth.com> wrote:
> USE CASE
>
> I receive an untrusted string, for example a weather report or a
> Twitter status update, from postMessage or a cross-origin
> XMLHttpRequest, and I want to display its content to the user without
> getting XSSed.
>
> WORKAROUNDS
>
> If the content is purely text (e.g., no images, styles, or
> hyperlinks), then I can create a text node containing the string and
> insert it into my page's DOM. ?If the content is not purely text, I
> need to implement an XSS filter in JavaScript (which folks commonly
> screw up).

Could <iframe sandbox> work as a workaround?

    var iframe = document.createElement('iframe');
    iframe.sandbox = ''; // (um, I hope this is right? I'm guessing
any non-null/undefined value enables sandboxing, or something)
    iframe.seamless = true;
    iframe.src = 'data:text/html,'+encodeURIComponent(tweet);
    document.getElementById('whatwg_tweet').appendChild(iframe);

-- 
Philip Taylor
excors at gmail.com

Received on Wednesday, 6 May 2009 09:56:40 UTC