toStaticHTML method

  • Article

Removes dynamic HTML elements and attributes from an HTML fragment.

 

Syntax

HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);

Parameters

  • bstrHTML [in]
    Type: BSTR

    An HTML fragment.

  • pbstrStaticHTML [out, retval]
    Type: BSTR

    An HTML fragment consisting of static elements only.

Return value

Type: HRESULT

If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Standards information

There are no standards that apply here.

Remarks

The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use IHTMLWindow6::toStaticHTML to modify elements in the body of a webpage.

 

For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.

See also

Making HTML safer: details for toStaticHTML

IHTMLElement::innerHTML