为什么toStaticHTML删除data- *属性 [英] Why does toStaticHTML remove data-* attributes
问题描述
我的应用程序动态地将HTML内容构建为字符串,完成后将内容附加到DOM。但是在WinJS中,一旦我尝试将字符串附加到DOM,就会抛出异常。为了解决这些异常,我必须通过运行toStaticHTML来清理HTML,这是在WinJS和Internet Explorer中全局定义的。我遇到的问题是data- * html5属性的使用非常多。一旦我通过toStaticHTML运行它们就会被剥离。为什么toStaticHTML删除data- *属性?与他们真正的安全问题是什么?
My application dynamically builds HTML content as a string and when finished the content is being attached to the DOM. In WinJS however this throws exceptions once I try to attach the string to the DOM. In order to work around these exceptions I have to sanitize the HTML by running it through toStaticHTML, which is globally defined in WinJS as well as in Internet Explorer. The issue that I am having is that there are quite a lot of use of data-* html5 attributes. Once I run those through toStaticHTML they are being stripped. Why does toStaticHTML remove data-* attributes? What is the real security concern with them?
请注意,我无法将DOM插入包装在MSApp.execUnsafeLocalFunction中,因为我使用的是jQuery而且我不允许修改jQuery代码。
Note that I cannot wrap the DOM insertion in MSApp.execUnsafeLocalFunction because I am using jQuery and I am not allowed to modify the jQuery code.
var html = "<ul><li data-role='list-node'>My list node</li></ul>";
$('#container').html(toStaticHTML(html));
产生:
<ul>
<li>My list node</li>
</ul>
推荐答案
这是因为插入随机位的安全问题HTML进入文档,并可能允许不安全的代码在受保护的上下文(您的应用程序,可以完全访问WinRT和用户文档)中执行。
This is because of security concerns about inserting random bits of HTML into the document, and potentially allowing unsafe code to execute inside a protected context (your app, with full access to the WinRT, and users documents).
toStaticHtml 在发展HTML /网络模式的情况下保持安全,因此它是白名单而不是黑名单 。
toStaticHtml is intended to remain 'secure' in the case of evolving HTML/web patterns so it is a whitelist rather than a blacklist.
鉴于您在这里遇到的挑战,我看到以下选项:
Given your challenge that you have here I see the following options:
- 将调用包装在
msExecUnsafeLocalFunction中的jquery(见下文)。这意味着对于该呼叫的生命,所有Dom插入都将是正常的。这不需要更改jquery,只需要更改代码。 - 完全重写Jquery在封面下使用的任何DOM调用,以使用
msExecUnsafeLocalFunction - 将应用程序的安全上下文更改为Web上下文而不是本地上下文。这当然会让您失去直接访问WinRT的权限。你必须通过其他机制(I帧或类似之间的消息传递)进行操作。
- 使用
WinJS.Binding.Template进行渲染你的内容而不是Jquery。这会克隆节点而不是字符串化HTML - 编写自己的节点克隆
- 使用
setAttribute 插入安全节点后。
- wrap the call to jquery in
msExecUnsafeLocalFunction(see below). This means for the life of that call, all Dom insertions will be fine. This doesn't require a change to jquery, just your code. - Completely rewrite any of the DOM calls that Jquery is using under the covers to call with
msExecUnsafeLocalFunction - Change the security context of your application to the web context rather than the local context. This, of course will lose you access to WinRT directly. You'll have to operate through some other mechanism (messaging between I frames or similar)
- Use
WinJS.Binding.Templateto render your content rather than Jquery. This clones the nodes rather than stringifying the HTML - write your own node cloner
- set the attribute with
setAttributeafter the safe node is inserted.
msExecUnsafeLocalFunction的示例用法:
Example usage of msExecUnsafeLocalFunction:
MSApp.execUnsafeLocalFunction(function() {
$('#container').html(html);
});
这篇关于为什么toStaticHTML删除data- *属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
