admin管理员组文章数量:1312960
My application dynamically builds HTML content as a string and when finished the content is being attached to the DOM. In WinJS however this throws exceptions once I try to attach the string to the DOM. In order to work around these exceptions I have to sanitize the HTML by running it through toStaticHTML, which is globally defined in WinJS as well as in Internet Explorer. The issue that I am having is that there are quite a lot of use of data-* html5 attributes. Once I run those through toStaticHTML they are being stripped. Why does toStaticHTML remove data-* attributes? What is the real security concern with them?
Note that I cannot wrap the DOM insertion in MSApp.execUnsafeLocalFunction because I am using jQuery and I am not allowed to modify the jQuery code.
var html = "<ul><li data-role='list-node'>My list node</li></ul>";
$('#container').html(toStaticHTML(html));
Produces:
<ul>
<li>My list node</li>
</ul>
My application dynamically builds HTML content as a string and when finished the content is being attached to the DOM. In WinJS however this throws exceptions once I try to attach the string to the DOM. In order to work around these exceptions I have to sanitize the HTML by running it through toStaticHTML, which is globally defined in WinJS as well as in Internet Explorer. The issue that I am having is that there are quite a lot of use of data-* html5 attributes. Once I run those through toStaticHTML they are being stripped. Why does toStaticHTML remove data-* attributes? What is the real security concern with them?
Note that I cannot wrap the DOM insertion in MSApp.execUnsafeLocalFunction because I am using jQuery and I am not allowed to modify the jQuery code.
var html = "<ul><li data-role='list-node'>My list node</li></ul>";
$('#container').html(toStaticHTML(html));
Produces:
<ul>
<li>My list node</li>
</ul>
-
$('#container').html(html)does not work?htmlis a string anyway... – Ridcully Commented Sep 2, 2012 at 10:02
3 Answers
Reset to default 8This is because of security concerns about inserting random bits of HTML into the document, and potentially allowing unsafe code to execute inside a protected context (your app, with full access to the WinRT, and users documents).
toStaticHtml is intended to remain 'secure' in the case of evolving HTML/web patterns so it is a whitelist rather than a blacklist.
Given your challenge that you have here I see the following options:
- wrap the call to jquery in
msExecUnsafeLocalFunction(see below). This means for the life of that call, all Dom insertions will be fine. This doesn't require a change to jquery, just your code. - Completely rewrite any of the DOM calls that Jquery is using under the covers to call with
msExecUnsafeLocalFunction - Change the security context of your application to the web context rather than the local context. This, of course will lose you access to WinRT directly. You'll have to operate through some other mechanism (messaging between I frames or similar)
- Use
WinJS.Binding.Templateto render your content rather than Jquery. This clones the nodes rather than stringifying the HTML - write your own node cloner
- set the attribute with
setAttributeafter the safe node is inserted.
Example usage of msExecUnsafeLocalFunction:
MSApp.execUnsafeLocalFunction(function() {
$('#container').html(html);
});
The data-role-attribute is not listed here: http://msdn.microsoft./en-us/library/windows/apps/hh465388.aspx
It's an unknown attribute and will be removed.
As mention in the docs data is not allowed: http://msdn.microsoft./en-us/library/windows/apps/hh465388.aspx
本文标签: javascriptWhy does toStaticHTML remove data* attributesStack Overflow
版权声明:本文标题:javascript - Why does toStaticHTML remove data-* attributes - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741900708a2403852.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论