W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] innerStaticHTML

From: João Eiras <joaoe@opera.com>
Date: Wed, 06 May 2009 18:40:47 +0200
Message-ID: <op.utiol9s92q99of@id-c0981>

> In addition to innerHTML, DOM elements should expose an
> innerStaticHTML property.  When set, innerStaticHTML should behave the
> same as innerHTML except that scripts should not execute (even in
> event handlers) and plug-ins should not be created.

As part of a browser implementation team I can clearly say that the cases where scripts should, or should not run are very hard to implement in a cross browser compatible way. Marking those scripts or plugins are non-executable would make everything much more complex and bug prone. Also, it would be impossible to do that for a onevent attribute without all sorts of problems.
The suggestion of marking content as non-executable doesn't solve anything, because after setting innerStaticHTML another script might serialize a piece of the affected DOM to string and back to a tree, and the code could then execute, which would not be wanted.

The only viable solution, from my point of view, would be for the UA to parse the string, and remove all untrusted content from the result tree before appending to the document.
That would mean removing all onevent attributes, all scripts elements, all plugins, etc. Basically, letting the UA implement all the filtering.


Jo?o Eiras
Core Developer, Opera Software ASA, http://www.opera.com/
Received on Wednesday, 6 May 2009 09:40:47 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC