W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Tue, 12 Mar 2013 03:10:35 +0100
To: mikesamuel@gmail.com
Cc: <public-script-coord@w3.org>
Message-ID: <vv2tj85uk3urh38hi4jgdvl322931kcv0i@hive.bjoern.hoehrmann.de>
* Mike Samuel wrote:
>Ok.  So it's not a goal of E4H to be safe against XSS by default then.

I think we are all agreed that any template mechanism should be robust
against code injections in some manner, particularily including that any
such mechanism should not allow expanded parameters to escape boundaries
that authors assume when looking at the template code, so when you have

  <example example='${...}'>...

authors would assume that whatever `${...}` expands to stays within the
`example` attribute value and any template mechanism should not violate
that assumption. If there is a consensus about that, then I find claims
such as yours above, and discussions about "string-based" versus "AST-
based" solutions rather distracting.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Tuesday, 12 March 2013 02:11:02 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 May 2013 19:30:09 UTC