My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Wednesday, November 12, 2003
« Microsoft PDC 2003: Slides from the Secu... | Main | ASP.NET 1.1 Request Validation flaw »

From Andy Oakley's Blog [Program Manager, MSDN]:

One of the challenges in importing external RSS feeds for the annotations aggregator is how to safely display untrusted HTML. Enter the SECURITY attribute of the IFRAME, a great way of instructing the browser to render the contents of the frame in the Restricted Sites zone, thus (by default) limiting the capabilities of HTML in that frame to markup and not much else.

To cut a long story short, the client-side component encodes the incoming HTML from the RSS feed and ships it around in that HtmlEncoded state through a series of transforms to provide sorting, create borders and generally beautify. Just before it’s rendered in the browser, there’s a final decoding step to decode that content back into HTML so that the markup is interpreted for display to the end user.

Since there’s no built-in client side implementation, here’s a rendition of Server.HtmlDecode in Javascript [1]


[Andy Oakley]

Tags:: Security
11/12/2003 5:50 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.