W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 8 Mar 2013 13:15:03 -0800
Message-ID: <CAJE5ia_7WezjqbYbiAkPWy6E7p5W_-fBrRZuOeyCLy0WB5N_BA@mail.gmail.com>
To: Allen Wirfs-Brock <allen@wirfs-brock.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ojan Vafai <ojan@chromium.org>, Brendan Eich <brendan@secure.meer.net>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
On Fri, Mar 8, 2013 at 12:48 PM, Allen Wirfs-Brock <allen@wirfs-brock.com>wrote:

> On Mar 8, 2013, at 12:13 PM, Jonas Sicking wrote:
>
> On Fri, Mar 8, 2013 at 9:57 AM, Adam Barth <w3c@adambarth.com> wrote:
>
> Even if we had a secure HTML quasi handler, the HTML quasi handler
>
> would not be the default handler.  That means the templating system is
>
> insecure by default.
>
>
> I'm not sure what you mean by "the default one". As I understand it
> there's no such thing as a default quasi handler. You always have to
> explicitly choose one.
>
>
> There is no "default handler" but if a template string is not prefixed by
> a handler tag then its semantics is to simply do string interpolation
> without observably calling a hander or applying any semantic processing.
>

Right, that's why the example in my first email is XSS:

---8<---
var firstName = [...];
var lastName = [...];
header.innerHTML = `<h1>Welcome ${ firstName } ${ lastName }!</h1>`;
--->8---

Whereas the E4H equivalent would not be:

var firstName = [...];
var lastName = [...];
header.appendChild(@<h1>Welcome { firstName } { lastName }!</h1>);

(Again, I'm not advocated E4H, I'm just using it as an example of a
complete AST-based templating system.)

Adam
Received on Friday, 8 March 2013 21:16:13 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC