Method of dom/HTMLElementdom/HTMLElement
Syntaxvar object = object.toStaticHTML(bstrHTML, pbstrStaticHTML);
An HTML fragment.
pbstrStaticHTMLAn HTML fragment consisting of static elements only.
Return ValueReturns an object of type DOM NodeDOM Node
Type: HRESULT
If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.
String
An HTML fragment consisting of static elements only.
ExamplesThe following script demonstrates how toStaticHTML sanitizes script and dynamic HTML attributes. The result of the operation is: Click Me.
<script type="text/javascript">
function sanitize()
{
var szInput = myDiv.innerHTML;
var szStaticHTML = toStaticHTML(szInput);
ResultComment = "\ntoStaticHTML sanitized the HTML fragment as follows:\n"
+ "Original Content:\n" + szInput + "\n"
+ "Static Content:\n" + szStaticHTML + "\n";
myDiv.innerText = ResultComment;
}
</script>
</head>
<body onload="sanitize()">
<div id="myDiv">
<script>function test() { alert("Testing, Testing, 123..."); }</script>
<span onclick="test()">Click Me</span>
</div>
</body>
The toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database. Note This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use toStaticHTML to modify elements in the body of a webpage.
Syntax Standards informationThere are no standards that apply here.
See also Related pageswindowMicrosoft Developer Network: [Windows Internet Explorer API reference Article]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4