W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Proposal: Add HTMLElement.innerText

From: Adam Barth <w3c@adambarth.com>
Date: Sat, 14 Aug 2010 15:39:46 -0700
Message-ID: <AANLkTinX_zr8JmOda1nGKZeE+M_-Hkrz9Urm8-bxmBVT@mail.gmail.com>
== Use Case ==

It's common that a web page has a string of untrusted characters
(e.g., received via cross-site XMLHttpRequest or postMessage) that it
wishes to display to the user.  The page wants to display the string
using a simple, secure API.

== Workarounds ==

Currently, the path of least resistance is to assign the string to
HTMLElement.innerHTML.  However, that is insecure because the
untrusted string can execute script via that API.

It's possible to display the string securely using the following pattern:

elmt.appendChild(document.createTextNode(untrusted_string));

However, that pattern is more cumbersome than "elmt.innerHTML =
untrusted_string", so developers end up writing insecure code.

== Proposal ==

We should expose a property on HTMLElement similar to innerHTML called
innerText.  When assigning a string to innerText, the string is placed
in a text node (and is not parsed as HTML).

== Deployment ==

HTMLElement.innerText appears to be deployed in Internet Explorer,
Chrome, Safari, and Opera.  However, the API is missing from Firefox
and the HTML5 spec.  (Note the existing implementations of the API
seem to do some work around newline normalization, which we should
consider when adding the API to the specification.)

Kind regards,
Adam
Received on Saturday, 14 August 2010 15:39:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:00 UTC