Removes dynamic HTML elements and attributes from an HTML fragment.
HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);
- bstrHTML [in]
An HTML fragment.
- pbstrStaticHTML [out, retval]
An HTML fragment consisting of static elements only.
If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
There are no standards that apply here.
The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.
Note This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use IHTMLWindow6::toStaticHTML to modify elements in the body of a webpage.
For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.