W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: html template string handler WAS: E4H and constructing DOMs

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 11 Mar 2013 13:25:22 -0700
Message-ID: <CAAWBYDAnfe3dbyyow5fXT=Zhnz4M129EfoVbVgZ732kagK41zw@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, Ian Hickson <ian@hixie.ch>, Ojan Vafai <ojan@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>
On Mon, Mar 11, 2013 at 1:12 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Mar 11, 2013 at 12:55 PM, Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Mon, Mar 11, 2013 at 7:12 PM, Adam Barth <w3c@adambarth.com> wrote:
>>> I'd recommend restricting untrusted data to text nodes.  That means we
>>> wouldn't be able to support those sorts of templates becaue {foo}
>>> would need to expand to something other than a text node.
>>
>> You mean not addressing the use cases related to attributes?
>
> Yes.  (Note: E4H doesn't let template inputs expand to anything other
> than a text node either.)

Yes it does - E4H lets inputs expand into attribute values.  Anything
which didn't allow *at least* this much would be unacceptable weak,
and ignored by most authors.

I believe that supporting attribute names, and perhaps tagnames, from
inputs is also sufficiently useful and easy to secure.

~TJ
Received on Monday, 11 March 2013 20:26:09 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC