locked
Why for the love of all things did you do this Microsoft? RRS feed

  • Question

  • It's impossible to use any third party js plugins without heavy customizations now because of this.

    JavaScript runtime error: Unable to add dynamic content. A script attempted to inject dynamic content, or elements previously modified dynamically, that might be unsafe. For example, using the innerHTML property to add script or malformed HTML will generate this exception. Use the toStaticHTML method to filter dynamic content, or explicitly create elements and attributes with a method such as createElement.

    I know it's been there since 8.0 and this is so annoying, because now I have to spend days and days rewriting a perfectly fine app. Whomever told you this is a security issue is not in their head. This is why you don't have developers on your platform! Things like this.


    Do you know how many types of sliders and display mechanisms and jquery projects use this? I've never once come across a security issue because of this.
    Monday, October 21, 2013 2:04 AM

Answers


  • The code snippet you show here is still setting innerHTML directly so it will do the unsafe check. It then passes that result to setInnerHTMLUnsafe. Instead you want something like:
    WinJS.Utilities.setInnerHTMLUnsafe(wrapper, slideLastHTML + wrapper.innerHTML + slideFirstHTML);
    --Rob
    Monday, October 21, 2013 11:48 PM
    Moderator

All replies

  • Your app has more privileges than a typical web page and allowing dynamic content could allow a script injection attack to let remote code call into the Windows Runtime and run amok with the app's privileges. To prevent this, injected code is run through toStaticHTML to block any dynamic content.

    If you are using local script which you have verified is safe then there are several ways to disable this. For your library case take a look at MSApp.execUnsafeLocalFunction .

    See the Dynamically adding HTML section in HTML, CSS, and JavaScript features and differences for more details.

    --Rob

    Monday, October 21, 2013 2:43 AM
    Moderator
  • I still think it's unnecessary. Still getting the same error when trying to wrap

    WinJS.Utilities.setInnerHTMLUnsafe(wrapper.innerHTML = slideLastHTML + wrapper.innerHTML + slideFirstHTML);

    Is there a way at the root of the app to just say yes DO INNERHTML all my scripts are local nothing calls out so just work like NORMAL. A flag or something?

    Monday, October 21, 2013 3:00 AM

  • The code snippet you show here is still setting innerHTML directly so it will do the unsafe check. It then passes that result to setInnerHTMLUnsafe. Instead you want something like:
    WinJS.Utilities.setInnerHTMLUnsafe(wrapper, slideLastHTML + wrapper.innerHTML + slideFirstHTML);
    --Rob
    Monday, October 21, 2013 11:48 PM
    Moderator