Home Library Learn Downloads Support Community
Sign in | United States - English | |
3 out of 7 rated this helpful - Rate this topic

toStaticHTML method

[This documentation is preliminary and is subject to change.]

Removes dynamic HTML elements and attributes from an HTML fragment.

Internet Explorer 8

Syntax

var pbstrStaticHTML = window.toStaticHTML(bstrHTML);

Standards information

There are no standards that apply here.

Parameters

bstrHTML [in]

Type: BSTR

An HTML fragment.

pbstrStaticHTML [out, retval]

Type: BSTR

An HTML fragment consisting of static elements only.

Return value

Type: HRESULT

If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Type: String

An HTML fragment consisting of static elements only.

Remarks

The toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use toStaticHTML to modify elements in the body of a webpage.

Examples

The following script demonstrates how toStaticHTML sanitizes script and dynamic HTML attributes. The result of the operation is: <span>Click Me</span>.

Copy 

<script type="text/javascript">
function sanitize() 
{
    var szInput = myDiv.innerHTML;
    var szStaticHTML = toStaticHTML(szInput);
    ResultComment = "\ntoStaticHTML sanitized the HTML fragment as follows:\n"
        + "Original Content:\n" + szInput + "\n"
        + "Static Content:\n" + szStaticHTML + "\n";
    myDiv.innerText = ResultComment;
}
</script>
</head>
<body onload="sanitize()">
    <div id="myDiv">
    <script>function test() { alert("Testing, Testing, 123..."); }</script>
    <span onclick="test()">Click Me</span>
    </div>
</body>

See also

window
innerHTML

 

 

Build date: 3/8/2012

Did you find this helpful?
(1500 characters remaining)
Community Content Add
Annotations FAQ
Examples are to show how to use it, not necessarily well made
Therefore I'd only agree to the first one.

To test whether this function is supported, check (window.toStaticHTML != null) as you would check whether other javascript method is supported. (Therefore, really, I don't actually agree it needs to be documented. However considering this documentation would be read by people who are new to javascript, I could second that it needs to be spelt out too.)
History
Very poor example
The example in this page is very poor from a web-standards based view:

1) There's no test whether the toStaticHTML() method is actually supported
2) The variable 'ResultComment' isn't dec;lared within it's scope so it becomes a global
3) There's a reference to a global 'myDiv' object that will only exist in IE's global scope because IE still wishes to stay backwards-compatible to it's obsolete document.all object model.
4) innerText is also IE-only
5) inappropiate use of inline eventhandlers
History