- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Sun, 10 Mar 2013 17:20:43 +0100
- To: "Mark S. Miller" <erights@google.com>
- Cc: <public-script-coord@w3.org>
* Mark S. Miller wrote: >This delays the actual quasi processing until forced, at which time the >context of forcing provides the knowledge of which micro-language to use. >Many languages, including HTML, have many different parsing contexts, each >with its own escaping conventions, etc. The start symbol in the grammar for >each of these parsing contexts forms what I am here calling a >micro-language. By having the default quasi handler delay quasi processing >this way, and to obtain the quasi handler for the micro language from the >quasi handler of the enclosing macro language, the end programmer is >relieved of the need to remember the names of these micro languages. Sounds like the idea is to have: var divA = `...`; var divB = `...`; element.innerHTML = divA; // safe element.innerHTML = divB; // safe element.innerHTML = divA + divB; // ? If the `+` operator stringifies divA and divB then the last line works as intended most of the time, but it might be exploitable. Having to remember the names for the intended escape mode does not seem to be a big problem (and if it was, isn't that actually a reason to have it in the code for the benefit of later readers?) so, sure, this could catch some errors, but it does not help much writing correct code. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Sunday, 10 March 2013 16:21:12 UTC