DescriptionOur previous strategy to provide a innerHTML getter was to invoke the
browser's, then sanitize the output. This strategy cannot implement
foreign node protection, since whether a node is foreign depends on its
object identity, which is not available starting from an innerHTML
string.
Therefore, it is replaced by our own implementation working off the
tame nodes (and therefore unable to provide excess authority over
regular DOM traversal), and operating according to the HTML5
specification's HTML fragment serialization algorithm.
@r5144
Patch Set 1 #
Total comments: 8
Patch Set 2 : Replace host innerHTML with our own HTML5-compliant serializer. #Patch Set 3 : Replace host innerHTML with our own HTML5-compliant serializer. #Patch Set 4 : Replace host innerHTML with our own HTML5-compliant serializer. #
MessagesTotal messages: 6
|