execUnsafeLocalFunction method

Disables script injection validation for the passed function within the local context.

Internet Explorer 10



var retVal = MSApp.execUnsafeLocalFunction(unsafeFunction);


unsafeFunction [in]

Type: MSUnsafeFunctionCallback

Function that executes synchronously with no accidental script injection validation applied.

Return value

Type: any

Returns the return value of functionToExecute.


This method runs a provided JavaScript function such that the function is executed in a context that turns off the accidental script validation behavior applied to innerHTML, outerHTML, document.write, and so on, for the duration of the call to unsafeFunction.

This method does not catch exceptions thrown by functionToExecute. Instead, it throws any exceptions that were thrown by the function that executed.

The opting out of the accidental script validation behavior applies synchronously for the duration of the call to unsafeFunction. Calls that are set up to run asynchronously, such as setInterval, do not receive the opt-out behavior.

execUnsafeLocalFunction should never be used on untrusted data without filtering or encoding first. When in doubt about the origins of any data, a safe encoding library or the toStaticHTML method should be used to ensure that data is sanitized prior to use with unsafe methods.

Caution  Calling this function can lead to serious security concerns such as HTML and script injection issues. Whenever possible, use createElement, setAttribute, and innerText rather than innerHTML and execUnsafeLocalFunction. Consider the following code sample:

MSApp.execUnsafeLocalFunction(function() {
  var body = document.getElementsByTagName('body')[0];
  body.innerHTML = '<div style="color:' + textColor + '">example</div>';

If textColor originates from the network, this value may be vulnerable to change by malicious third parties. For example, if your server sends the following JSON object {'textColor': 'red'}, a malicious third party could modify it as shown here:

{ 'textColor': '></div><script>Windows.UI.Popups.MessageDialog("This is an injection issue").showAsync().then();</script>' }

By substituting innerHTML and execUnsafeLocalFunction with the more secure createElement and innerText, the previous example can be written as shown here:

var body = document.getElementsByTagName('body')[0];

var exampleDiv = document.createElement('div');
exampleDiv.style.color = textColor;
exampleDiv.innerText = 'example';


Because textColor is set directly on the corresponding property, there is no way for an attacker to inject HTML.

See also