locked
Javascript runtime error

    Question

  • I am getting this JavaScript Runtime error for some reason:

     

    JavaScript runtime error: Unable to add dynamic content. A script attempted to inject dynamic content, or elements previously modified dynamically, that might be unsafe. For example, using the innerHTML property or the document.write method to add a script element will generate this exception. If the content is safe and from a trusted source, use a method to explicitly manipulate elements and attributes, such as createElement, or use msWWA.execUnsafeLocalFunction.

    It is highlighting this: document.getElementById("mineTable").innerHTML = tableGen;
    How can I fix this?

    Friday, September 16, 2011 1:29 AM

Answers

  • The host enforcement code will throw an access denied exception in the event that you try to set the innerHTML (and outerHTML and a couple ofl others) of an element to HTML which doesn't conform to a whitelist of known safe HTML.

    You can get around this in a couple of ways:

     

    1) call toStaticHTML() on your string first which should strip out everything which is disallowed

    2) use WinJS.Utilities.setInnerHTMLUnsafe(element, text), this allows you to set innerHTML to anything you like

    3) use msWWA.execUnsafeLocalFunction, for instance: msWWA.execUnsafeLocalFunction(function () { element.innerHTML = text; })

     

    #2 is implemented in terms of #3.

     

    Be aware that if you set innerHTML of an element to html that you don't control (e.g. something you downloaded off the web like an RSS feed) it may contain script which will be able to access the WinRT and do bad things which is why the names of the functions in 2) and 3) are purposefully a little scary.

     

    -josh [MSFT]

    • Marked as answer by maxhudson Sunday, September 18, 2011 6:23 AM
    Saturday, September 17, 2011 2:42 PM
  • It sounds like you guys are hitting the situation described here:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh465380.aspx

    under the "Dynamically adding HTML" section

    and here:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh465388.aspx

    Where dynamic content is stripped out of some HTML calls in the local context using toStaticHTML.  As described this is to protect the local context where the WinRT can be called from potentially unsafe code.  As described in the first link, you have a couple options including using the web context if the code you're trying to add is untrusted, or if it is trusted, using one of the described methods. 

    • Proposed as answer by andersbe Friday, September 16, 2011 10:01 PM
    • Marked as answer by maxhudson Saturday, September 17, 2011 3:58 AM
    Friday, September 16, 2011 10:01 PM

All replies

  • Should I attach a zip of my project file?

    I kind of need an answer as I have no idea how to get around this...

    Friday, September 16, 2011 1:36 PM
  • It is difficult to answer coding questions without seeing any code snipits or the data you are trying to insert, however I would guess you need to use the unsafe versions of the API's

    http://msdn.microsoft.com/en-us/library/windows/apps/br211696(v=VS.85).aspx

    you may need to use this:setInnertHTMLUnsafe to replace setInnerHTML (if you trust the source of the HTML) -  


    Jeff Sanders (MSFT)
    Friday, September 16, 2011 2:54 PM
    Moderator
  • Max,

    Do you have a small code sample that will reproduce this problem? If so, please zip and share. This way we can take a look and get the right folks engaged.

    Thanks,

    Robert.

    Friday, September 16, 2011 3:33 PM
  • Max,

    Do you have a small code sample that will reproduce this problem? If so, please zip and share. This way we can take a look and get the right folks engaged.

    Thanks,

    Robert.

    I've encountered the same problem working through the metro RSSReader tutorial (http://msdn.microsoft.com/en-us/library/windows/apps/br211385%28v=VS.85%29.aspx). Its at this point:

     

    for( var i = 0, len = items.length; i < len; i++ ) {
        var item = items[i];
        // append data to #posts div
        var parent = document.createElement("div");
        appendDiv(parent, item.selectNodes("title")[0].text, "postTitle");
        appendDiv(parent, item.selectNodes("pubDate")[0].text, "postDate");
        appendDiv(parent, item.selectNodes("description")[0].text, "postContent");
        posts.appendChild(parent);
      }
    Should this text be changed to something else?

    Friday, September 16, 2011 8:05 PM
  • It sounds like you guys are hitting the situation described here:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh465380.aspx

    under the "Dynamically adding HTML" section

    and here:

    http://msdn.microsoft.com/en-us/library/windows/apps/hh465388.aspx

    Where dynamic content is stripped out of some HTML calls in the local context using toStaticHTML.  As described this is to protect the local context where the WinRT can be called from potentially unsafe code.  As described in the first link, you have a couple options including using the web context if the code you're trying to add is untrusted, or if it is trusted, using one of the described methods. 

    • Proposed as answer by andersbe Friday, September 16, 2011 10:01 PM
    • Marked as answer by maxhudson Saturday, September 17, 2011 3:58 AM
    Friday, September 16, 2011 10:01 PM
  • Ok, so how do I use these solutions?

    There is no example provided. Thanks!

    Saturday, September 17, 2011 3:58 AM
  • The host enforcement code will throw an access denied exception in the event that you try to set the innerHTML (and outerHTML and a couple ofl others) of an element to HTML which doesn't conform to a whitelist of known safe HTML.

    You can get around this in a couple of ways:

     

    1) call toStaticHTML() on your string first which should strip out everything which is disallowed

    2) use WinJS.Utilities.setInnerHTMLUnsafe(element, text), this allows you to set innerHTML to anything you like

    3) use msWWA.execUnsafeLocalFunction, for instance: msWWA.execUnsafeLocalFunction(function () { element.innerHTML = text; })

     

    #2 is implemented in terms of #3.

     

    Be aware that if you set innerHTML of an element to html that you don't control (e.g. something you downloaded off the web like an RSS feed) it may contain script which will be able to access the WinRT and do bad things which is why the names of the functions in 2) and 3) are purposefully a little scary.

     

    -josh [MSFT]

    • Marked as answer by maxhudson Sunday, September 18, 2011 6:23 AM
    Saturday, September 17, 2011 2:42 PM
  • You're my fokin hero
    Sunday, September 18, 2011 6:26 AM
  • Hey Josh,

    please note that this behavior is unacceptable. I use e.g. Sencha ExtJS library just include the ext-all.js file and you will get this problem.

    ExtJS is have over 6 Million Downloads and i am pretty sure much other libraries do set innerHTML.

    It would be better to have an option in the manifest to allow unsafe content by the developer.

     

    I am sorry but this is not going to work for 90% of existing JavaScript apps

     

    Tim

    Tuesday, January 03, 2012 7:34 AM
  • Hi,

    I met the same problem,but things don't get well through toStaticHTML method,below are my code

    var list = new WinJS.Binding.List();
    // many items contain untrusted content
    items.forEach(function (item) {
        // filter the content
        item.htmlContent = toStaticHTML(item.content);
        list.push(item);
    });

    and html code

    <article class="article-content" data-win-bind="innerHTML: htmlContent"></article>

    there are still some content can't not dispaly well, and the error occur the same.

    what else can I do for that? thx!

    Wednesday, April 11, 2012 5:04 AM