W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 8 Mar 2013 02:41:20 +0000 (UTC)
To: Rick Waldron <waldron.rick@gmail.com>
cc: Adam Barth <w3c@adambarth.com>, mikesamuel@gmail.com, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <Pine.LNX.4.64.1303080239520.15713@ps20323.dreamhostps.com>
On Thu, 7 Mar 2013, Rick Waldron wrote:
> On Thu, Mar 7, 2013 at 9:15 PM, Adam Barth <w3c@adambarth.com> wrote:
> >
> > Linking to a thousand-line JavaScript library as evidence that string 
> > template can be used securely pretty much proves my point: it's hard 
> > to use string templates securely.  That means that most authors won't 
> > use them securely and will write code that's full of XSS.
> 
> I'd like to kindly ask that you stop approaching this conversation as 
> though browsers and the web are the only client of the EcmaScript 
> specification.

If we're making compromise decisions that mean that we aren't making the 
absolute best decisions for the Web, then we should fork the language so 
that we can.

(This is not theoretical, we've already done this for IDL and many APIs.)

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 8 March 2013 02:41:42 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC