Tim Streater
1/11/2015 9:16:00 AM
In article <hOlsw.607583$5U6.318062@fx01.iad>, Richard Damon
<Richard@Damon-Family.org> wrote:
>On 1/10/15 1:43 PM, Tim Streater wrote:
>> I have some untrusted HTML, so I want to de-activate any <scripts> it
>> contains before shoving it into an iframe. Is there any reason not to
>> do the following?
>>
>> newdoc = new DOMParser().parseFromString (untrustedHTML, 'text/html');
>> scripts = newdoc.querySelectorAll ('script');
>> num = scripts.length;
>>
>> for (i=0; i<num; i++)
>> {
>> newdoc.removeChild (scripts[i]);
>> }
>>
>> iframePtr.open ();
>> iframePtr.write (new XMLSerializer().serializeToString (newdoc));
>> iframePtr.close ();
>>
>> Of course it's a bit heavy to have the string parsed once so I can
>> reliably remove script elements, only to then have to serialise it so
>> that I can write it into the iframe (where it gets parsed again). But
>> it seems that once written into the iframe, the browser starts doing
>> speculative downloading in parallel with the rest of my javascript
>> thread execution - making it too late to prevent the remote end from
>> being aware that I have received their HTML.
>>
>
>When dealing with "untrusted" data, it is MUCH better to parse it and
>allow what you need to and is safe, rather than trying to think about
>all the bad things that could be and block them.
I'm letting the browser parse it; it will do a much better and more
complete job than I can.
--
"Please stop telling us what you feel. Please stop telling us what your
intuition is. Your intuitive feelings are of no interest whatsoever,
and nor are mine. I don't give a bugger what you feel, or what I feel.
I want to know what the evidence shows." -- Richard Dawkins