toStaticHTML method

[This documentation is preliminary and is subject to change.]

Removes dynamic HTML elements and attributes from an HTML fragment.

Internet Explorer 8


HRESULT retVal = object.toStaticHTML(bstrHTML, );

Standards information

There are no standards that apply here.


  • bstrHTML [in]
    Type: BSTR

    An HTML fragment.

  • pbstrStaticHTML [out, retval]
    Type: BSTR

    An HTML fragment consisting of static elements only.

Return value


If this method succeeds, it returns S_OK. Otherwise, it returns an HRESULT error code.


The toStaticHTML method can be used to remove event attributes and script from user input before it is displayed as HTML. Malicious HTML can be passed on a URL, in form parameters, or across domains by XDomainRequest or postMessage. Always validate user input before adding it as an HTML fragment to a webpage or storing it in a database.

Note   This method does not filter the attributes of the base element. This can cause potentially unwanted redirect requests for link and anchor elements injected into a webpage. For best results, only use toStaticHTML to modify elements in the body of a webpage.

See also




Build date: 1/26/2012