- From: Adam Barth <w3c@adambarth.com>
- Date: Sat, 14 Aug 2010 15:39:46 -0700
== Use Case == It's common that a web page has a string of untrusted characters (e.g., received via cross-site XMLHttpRequest or postMessage) that it wishes to display to the user. The page wants to display the string using a simple, secure API. == Workarounds == Currently, the path of least resistance is to assign the string to HTMLElement.innerHTML. However, that is insecure because the untrusted string can execute script via that API. It's possible to display the string securely using the following pattern: elmt.appendChild(document.createTextNode(untrusted_string)); However, that pattern is more cumbersome than "elmt.innerHTML = untrusted_string", so developers end up writing insecure code. == Proposal == We should expose a property on HTMLElement similar to innerHTML called innerText. When assigning a string to innerText, the string is placed in a text node (and is not parsed as HTML). == Deployment == HTMLElement.innerText appears to be deployed in Internet Explorer, Chrome, Safari, and Opera. However, the API is missing from Firefox and the HTML5 spec. (Note the existing implementations of the API seem to do some work around newline normalization, which we should consider when adding the API to the specification.) Kind regards, Adam
Received on Saturday, 14 August 2010 15:39:46 UTC