- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 8 Mar 2013 02:41:20 +0000 (UTC)
- To: Rick Waldron <waldron.rick@gmail.com>
- cc: Adam Barth <w3c@adambarth.com>, mikesamuel@gmail.com, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
On Thu, 7 Mar 2013, Rick Waldron wrote: > On Thu, Mar 7, 2013 at 9:15 PM, Adam Barth <w3c@adambarth.com> wrote: > > > > Linking to a thousand-line JavaScript library as evidence that string > > template can be used securely pretty much proves my point: it's hard > > to use string templates securely. That means that most authors won't > > use them securely and will write code that's full of XSS. > > I'd like to kindly ask that you stop approaching this conversation as > though browsers and the web are the only client of the EcmaScript > specification. If we're making compromise decisions that mean that we aren't making the absolute best decisions for the Web, then we should fork the language so that we can. (This is not theoretical, we've already done this for IDL and many APIs.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 8 March 2013 02:41:42 UTC