W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: html template string handler WAS: E4H and constructing DOMs

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 11 Mar 2013 23:25:58 +0000 (UTC)
To: Mike Samuel <mikesamuel@gmail.com>
cc: "public-script-coord@w3.org" <public-script-coord@w3.org>
Message-ID: <Pine.LNX.4.64.1303112325170.15713@ps20323.dreamhostps.com>
On Mon, 11 Mar 2013, Mike Samuel wrote:
> 2013/3/11 Adam Barth <w3c@adambarth.com>:
> > On Mon, Mar 11, 2013 at 1:25 PM, Tab Atkins Jr. <jackalmage@gmail.com> wrote:
> >> On Mon, Mar 11, 2013 at 1:12 PM, Adam Barth <w3c@adambarth.com> 
> >> wrote: I believe that supporting attribute names, and perhaps 
> >> tagnames, from inputs is also sufficiently useful and easy to secure.
> >
> > Those seem pretty dangerous.  That lets the attacker choose things 
> > like "onclick" and "script", which might lead to script execution.
> 
> I've seen this requested to satisfy two usecases.  <h{...}> can be used 
> to create hierarchical structures from nested data

FWIW, HTML solves his now using <section> and <h1>.

> and <button onkey{...}> can be used to workaround platform 
> idiosyncrasies that cause developers to want to catch keypress events on 
> some browsers and keydown on others..

That seems like something we should fix by fixing the API, not by adding 
another feature.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 11 March 2013 23:26:21 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC