On Wed, Nov 9, 2011 at 9:54 AM, Adam Barth <[email protected]> wrote: > Also, a div doesn't represent a security boundary. It's difficult to > sandbox something unless you have a security boundary around it. > IMHO, an easy way to solve this problem is to just exposes an > HTMLParser object, analogous to DOMParser, which folks can use to > safely parse HTML,
DOMParser.parseFromString already takes a content type as the second argument. The plan is to support HTML parsing when the second argument is text/html. > e.g., from XMLHttpRequest. XMLHttpRequest Level 2 has built-in support for HTML parsing. No need to first get responseText and then pass it to something else. -- Henri Sivonen [email protected] http://hsivonen.iki.fi/
