Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

toStaticHTML method

Removes dynamic HTML elements and attributes from an HTML fragment.

Internet Explorer 8

Syntax


HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);

Parameters

bstrHTML [in]

Type: BSTR

An HTML fragment.

pbstrStaticHTML [out, retval]

Type: BSTR

An HTML fragment consisting of static elements only.

Return value

Type: HRESULT

If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Standards information

There are no standards that apply here.

Remarks

The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use IHTMLWindow6::toStaticHTML to modify elements in the body of a webpage.

For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.

See also

Making HTML safer: details for toStaticHTML
IHTMLElement::innerHTML

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.