Re: E4H and constructing DOMs from Allen Wirfs-Brock on 2013-03-08 (public-script-coord@w3.org from January to March 2013)

From: Allen Wirfs-Brock <allen@wirfs-brock.com>
Date: Fri, 8 Mar 2013 12:48:09 -0800
To: Jonas Sicking <jonas@sicking.cc>
Cc: Adam Barth <w3c@adambarth.com>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ojan Vafai <ojan@chromium.org>, Brendan Eich <brendan@secure.meer.net>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-Id: <317FA5FE-079E-4A2E-A034-B36539EE6722@wirfs-brock.com>

On Mar 8, 2013, at 12:13 PM, Jonas Sicking wrote:

> On Fri, Mar 8, 2013 at 9:57 AM, Adam Barth <w3c@adambarth.com> wrote:
>>> 
>>> 
>> 
>> Even if we had a secure HTML quasi handler, the HTML quasi handler
>> would not be the default handler.  That means the templating system is
>> insecure by default.
> 
> I'm not sure what you mean by "the default one". As I understand it
> there's no such thing as a default quasi handler. You always have to
> explicitly choose one.
> 

There is no "default handler" but if a template string is not prefixed by a handler tag then its semantics is to simply do string interpolation without observably calling a hander or applying any semantic processing.

Received on Friday, 8 March 2013 20:48:47 UTC