- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Tue, 15 Feb 2011 10:10:38 -0500
- To: gaz Heyes <gazheyes@gmail.com>
- CC: "sird@rckc.at" <sird@rckc.at>, public-web-security@w3.org
On 2/15/11 5:06 AM, gaz Heyes wrote: > I think you might be confused with sdc's naming conventions, "src" > actually refers to the source code supplied not the url of the iframe. And one more thing. If you just want to have your HTML parsed in a context in which scripts won't execute, you can simply createDocument a document via the DOMImplementation and then set innerHTML in there... As you point out in your later mail, none of this helps if you want to import those nodes into another document and then show them to the user, since at that point event handler attributes will start working. -Boris
Received on Tuesday, 15 February 2011 16:45:18 UTC