toStaticHTML method
Removes dynamic HTML elements and attributes from an HTML fragment.
![]() |
Syntax
HRESULT retVal = object.toStaticHTML(bstrHTML, pbstrStaticHTML);
Parameters
- bstrHTML [in]
-
Type: BSTR
An HTML fragment.
- pbstrStaticHTML [out, retval]
-
Type: BSTR
An HTML fragment consisting of static elements only.
Return value
Type: HRESULT
If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
Standards information
There are no standards that apply here.
Remarks
The IHTMLWindow6::toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or IHTMLWindow6::postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.
For more info about IHTMLWindow6::toStaticHTML, see Making HTML safer: details for toStaticHTML.
See also
