W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Allen Wirfs-Brock <allen@wirfs-brock.com>
Date: Sat, 9 Mar 2013 17:47:15 -0800
Cc: Domenic Denicola <domenic@domenicdenicola.com>, Adam Barth <w3c@adambarth.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ojan Vafai <ojan@chromium.org>, Brendan Eich <brendan@secure.meer.net>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-Id: <18FC1A47-C483-4DB2-A459-2718D978CCCE@wirfs-brock.com>
To: Maciej Stachowiak <mjs@apple.com>

On Mar 9, 2013, at 5:38 PM, Maciej Stachowiak wrote:

> 
> On Mar 8, 2013, at 6:04 PM, Domenic Denicola <domenic@domenicdenicola.com> wrote:
> 
>> From: Adam Barth [mailto:w3c@adambarth.com] 
>> 
>>> Right, that's why the example in my first email is XSS:
>> 
>>>    var firstName = [...];
>>>    var lastName = [...];
>>>    header.innerHTML = `<h1>Welcome ${ firstName } ${ lastName }!</h1>`;
>> 
>>> Whereas the E4H equivalent would not be:
>> 
>>>    var firstName = [...];
>>>    var lastName = [...];
>>>    header.appendChild(@<h1>Welcome { firstName } { lastName }!</h1>);
>> 
>> 
>> I must be missing something, but from my reading you are not gaining anything in the ES4H example over the string templates example, if of course you modify the last line to be
>> 
>>    header.innerHTML = html`<h1>Welcome ${ firstName } ${ lastName }!</h1>`;
> 
> Can quasi handlers return non-strings? A built-in html quasi handler could be a lot safer if it could return a DOM tree instead of a string, i.e.
> 
>  header.appendChild(html`<h1>Welcome ${ firstName } ${ lastName }!</h1>`);
> 
> This way the handler could be internally AST-based and would not have to reserialize back to a string.

yes they can

> 
>> 
>> In particular, as has been explained in this thread a few times, there's no reason why browsers can't ship a built-in `html` template handler that does the same AST-based DOM parsing on the passed template string that ES4H would do on the source string following the @-sign, and subsequently returns the `outerHTML` of the resulting DOM element.
> 
> Not all DOMs can be safely round tripped through serialization and reparsing.
> 
>> Indeed, since string templates don't even need to return strings, you could do
>> 
>>    header.appendChild(htmlel`<h1>Welcome ${ firstName } ${ lastName }!</h1>`);
> 
> This is what html`` should do, if there is such a built-in quasi handler, IMO.

+1


> 
> Regards,
> Maciej
> 
Received on Sunday, 10 March 2013 01:47:53 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC