.gif)
Removes dynamic HTML elements and attributes from an HTML fragment.
Syntax
pbstrStaticHTML = object.toStaticHTML(bstrHTML)
Parameters
| bstrHTML |
Required.
An HTML fragment. |
Return Value
An HTML fragment consisting of static elements only.
Remarks
The toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or postMessage. Always validate user input before adding it as an HTML fragment to a Web page or storing it in a database.
Note This method does not filter the attributes of the
base element. This can cause potentially unwanted redirect requests for
link and
anchor elements injected into a Web page. For best results, only use
toStaticHTML to modify elements in the body of a Web page.
Example
The following script demonstrates how toStaticHTML sanitizes script and dynamic HTML attributes. The result of the operation is: <span>Click Me</span>.
<script type="text/javascript">
function sanitize()
{
var szInput = myDiv.innerHTML;
var szStaticHTML = toStaticHTML(szInput);
ResultComment = "\ntoStaticHTML sanitized the HTML fragment as follows:\n"
+ "Original Content:\n" + szInput + "\n"
+ "Static Content:\n" + szStaticHTML + "\n";
myDiv.innerText = ResultComment;
}
</script>
</head>
<body onload="sanitize()">
<div id="myDiv">
<script>function test() { alert("Testing, Testing, 123..."); }</script>
<span onclick="test()">Click Me</span>
</div>
</body>
Standards Information
There is no public standard that applies to this method.
Applies To
See Also
innerHTML