On Fri, Mar 8, 2013 at 12:48 PM, Allen Wirfs-Brock <allen@wirfs-brock.com>wrote:
> On Mar 8, 2013, at 12:13 PM, Jonas Sicking wrote:
>
> On Fri, Mar 8, 2013 at 9:57 AM, Adam Barth <w3c@adambarth.com> wrote:
>
> Even if we had a secure HTML quasi handler, the HTML quasi handler
>
> would not be the default handler. That means the templating system is
>
> insecure by default.
>
>
> I'm not sure what you mean by "the default one". As I understand it
> there's no such thing as a default quasi handler. You always have to
> explicitly choose one.
>
>
> There is no "default handler" but if a template string is not prefixed by
> a handler tag then its semantics is to simply do string interpolation
> without observably calling a hander or applying any semantic processing.
>
Right, that's why the example in my first email is XSS:
---8<---
var firstName = [...];
var lastName = [...];
header.innerHTML = `<h1>Welcome ${ firstName } ${ lastName }!</h1>`;
--->8---
Whereas the E4H equivalent would not be:
var firstName = [...];
var lastName = [...];
header.appendChild(@<h1>Welcome { firstName } { lastName }!</h1>);
(Again, I'm not advocated E4H, I'm just using it as an example of a
complete AST-based templating system.)
Adam