Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
toStaticHTML

toStaticHTML method

Removes dynamic HTML elements and attributes from an HTML fragment.

Internet Explorer 8

 

Syntax


HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);

Parameters

bstrHTML [in]

Type: BSTR

An HTML fragment.

pbstrStaticHTML [out, retval]

Type: BSTR

An HTML fragment consisting of static elements only.

Return value

Type: HRESULT

If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.

Standards information

There are no standards that apply here.

Remarks

The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use IHTMLWindow6::toStaticHTML to modify elements in the body of a webpage.

For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.

See also

Making HTML safer: details for toStaticHTML
IHTMLElement::innerHTML

 

 

Community Additions

ADD
Show:
© 2015 Microsoft