Re: E4H and constructing DOMs from Rick Waldron on 2013-03-08 (public-script-coord@w3.org from January to March 2013)

From: Rick Waldron <waldron.rick@gmail.com>
Date: Thu, 7 Mar 2013 21:36:51 -0500
To: Adam Barth <w3c@adambarth.com>
Cc: mikesamuel@gmail.com, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <CAHfnhfpzRQODLoDrYKb41YeMDVjwPWFrOV_5TjJ1drUY-hiDyg@mail.gmail.com>

(cc'ing Mark Miller)

On Thu, Mar 7, 2013 at 9:15 PM, Adam Barth <w3c@adambarth.com> wrote:

> snip
>
> Linking to a thousand-line JavaScript library as evidence that string
> template can be used securely pretty much proves my point: it's hard
> to use string templates securely.  That means that most authors won't
> use them securely and will write code that's full of XSS.
>

I'd like to kindly ask that you stop approaching this conversation as
though browsers and the web are the only client of the EcmaScript
specification. The language serves to provide primitives that can be used
to compose higher level abstractions, eg. DOM APIs with whatever level of
security the domain problem requires.

I've cc'ed Mark Miller, an expert in PL security and co-designer of ES6
template strings, so he can share his thoughts here.

Rick

>
> Adam
>
>

Received on Friday, 8 March 2013 02:37:38 UTC