- From: Mike Samuel <mikesamuel@gmail.com>
- Date: Fri, 5 Mar 2010 21:57:05 +0000
Is this the right list for this kind of question? 2010/2/23 Mike Samuel <mikesamuel at gmail.com>: > I'm working with EcmaScript TC39 trying to allow for experimentation > with new content generation techniques in JavaScript. > There's one missing piece which would let template language authors > experiment with varying degrees of XSS-safety, and I was hoping that a > change like the below might make it into HTML5. > > When user-code does > ? ?document.write(value), myElement.innerHTML = value, etc. > and the value is an object, currently it is coerced to a string by > indirectly calling the toString method. ?I would like the toString > method to be called with 'html ' + the current HTML 5 insertion mode > to give structured template return values a chance to apply > appropriate escaping schemes. ?For attribute sets, it would be nice to > call toString with the argument 'attr ' + attribute name. ?This would > be backwards compatible as toString implementations ignore parameters > (modulo Number). > > To flesh out this proposal, what areas should I pay attention to? > > cheers, > mike >
Received on Friday, 5 March 2010 13:57:05 UTC