[whatwg] On separation of code and data

You may know this already, but the on* handlers have been deprecated and
replaced with the DOM 2 Events* standard. So instead of doing 'onclick =
"DoFunction()"' the programmer should be calling
"element.addEventListener('click',
DoFunction, false)". If I understand you correctly, this effectively
achieves your "no code in data" request. At least as far as the standards
go.

For what it's worth, I'm not certain that keeping code and data separate
fixes the security issues with XSS. For example, Fortify Software released a
Javascript exploit that inlines JSON requests as a simple '<script
src="/path/to/AJAX.json"></script>' tag, then captures the data present in
the object created.

You can read about the full exploit here:

http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf

Such problems go above and beyond the issues present in mixing code with
data, and therefore require more sophisticated security models.

Thanks,
Jerason

* Microsoft has yet to fully support the DOM 2 standard. As a result, IE
does not support addEventListener. It does support
"element.attachEvent('onclick',
DoFunction)" which effectively achieves the same goal.

On 6/7/07, Pieter Ceelen <ceelen.p at gmail.com> wrote:
>
>
> Thus instead of creating
>
> index.html
>  <a href=# onclick="DoFunction()" id=123 >
>
> we write
> index.html
>  <a href=#  id=123 >
>
> index.js
>   document.getElementById('123').onclick="DoFunction()"
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20070607/0b8304a1/attachment.htm>

Received on Thursday, 7 June 2007 07:00:59 UTC