On Nov 24, 2009, at 10:37 PM, Adam Barth wrote:
On Tue, Nov 24, 2009 at 8:39 PM, Maciej Stachowiak <m...@apple.com>
wrote:
On Nov 24, 2009, at 7:14 PM, Adam Barth wrote:
In the below message to the WHATWG, Ian suggests that vendors
experiment with an API that makes it easier for web developers to
programmatically add static HTML content to their pages without
XSSing
themselves:
http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-June/020191.html
I think we should do as he recommends. If no one objects, I'll add
this to my list of things to work on.
I think innerStaticHTML is a good idea. Is there also a use case
for the
"static" equivalent of insertAdjacentHTML()?
I think we should experiment with the minimal API that seems useful.
If the experiment is a success, we can scale it up.
Michal suggested to me off-list and another possibility is to have an
API that works like this:
var jail = document.createElement("jail");
document.getElementById("foo");
jail.innerHTML = untrusted_string;
We could do something similar with attributes:
var jail = document.getElementById("foo");
jail.setAttribute("sandbox", "yes-please");
jail.innerHTML = untrusted_string;
One of the nice things about using a DOM API is we don't have to worry
about crazy parsing issues.
If we tie it to an element or attribute, people may be tempted to just
do it in markup, which would be insecure.
Regards,
Maciej
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
