Summary: | Would like a way to prevent user-controlled markup from breaking out of an element | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Adam Roben (:aroben) <aroben> | ||||
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> | ||||
Status: | NEW --- | ||||||
Severity: | Normal | CC: | ap, bfulgham, jond, jonlee, sam, simon.fraser, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | Safari Technology Preview | ||||||
Hardware: | Mac | ||||||
OS: | Unspecified | ||||||
Attachments: |
|
Description
Adam Roben (:aroben)
2016-04-15 08:21:27 PDT
Some strawman proposals: <untrusted srcdoc="<p>HTML goes here</p>"> This is similar to <iframe srcdoc>. We'd of course have to ensure the attribute value does not contain any quotes on the server side. <untrusted> <p>HTML goes here</p> </untrusted> For this one to work, the parsing would need to be similar to <textarea> where it consumes all characters until the next instance of "</untrusted>". And of course we'd have to ensure to remove "</untrusted>" from the content itself on the server side. |