W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Rick Waldron <waldron.rick@gmail.com>
Date: Thu, 7 Mar 2013 21:36:51 -0500
Message-ID: <CAHfnhfpzRQODLoDrYKb41YeMDVjwPWFrOV_5TjJ1drUY-hiDyg@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: mikesamuel@gmail.com, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
(cc'ing Mark Miller)


On Thu, Mar 7, 2013 at 9:15 PM, Adam Barth <w3c@adambarth.com> wrote:

> snip
>
> Linking to a thousand-line JavaScript library as evidence that string
> template can be used securely pretty much proves my point: it's hard
> to use string templates securely.  That means that most authors won't
> use them securely and will write code that's full of XSS.
>

I'd like to kindly ask that you stop approaching this conversation as
though browsers and the web are the only client of the EcmaScript
specification. The language serves to provide primitives that can be used
to compose higher level abstractions, eg. DOM APIs with whatever level of
security the domain problem requires.

I've cc'ed Mark Miller, an expert in PL security and co-designer of ES6
template strings, so he can share his thoughts here.

Rick



>
> Adam
>
>
Received on Friday, 8 March 2013 02:37:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC