toStaticHTML method

Removes dynamic HTML elements and attributes from an HTML fragment.

Internet Explorer 8



HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);


bstrHTML [in]

Type: BSTR

An HTML fragment.

pbstrStaticHTML [out, retval]

Type: BSTR

An HTML fragment consisting of static elements only.

Return value


If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Standards information

There are no standards that apply here.


The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use IHTMLWindow6::toStaticHTML to modify elements in the body of a webpage.

For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.

See also

Making HTML safer: details for toStaticHTML