Comment #4 on issue 1787 by kpreid.switchb.org: Missing feature in
(<div>).innerHTML
http://code.google.com/p/google-caja/issues/detail?id=1787
The cause of this is that the .innerHTML setter is implemented as
feral.innerHTML = sanitizeHtml(value); and the hooks which permit <script>
(and these days, <style>) despite it being marked unsafe are implemented
specifically in HtmlEmitter.
I think the most _straightforward_ way to get the correct semantics here is
to instantiate a new HtmlEmitter independent of the existing one and point
it at the target element (or possibly a document fragment), with an added
flag to implement the “don't execute script” behavior of .innerHTML (follow
whatever HTML5 says here). However, I am reasonably confident this would be
very much slower than our current .innerHTML implementation.
Alternative is to set up the HTML sanitizer with a policy which permits
<script> and <style>, but we don't have hooks for suppressing the script's
body text. (In theory that doesn't matter, but it's too close to the edge
for my taste.)
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
