(cc'ing Mark Miller) On Thu, Mar 7, 2013 at 9:15 PM, Adam Barth <w3c@adambarth.com> wrote: > snip > > Linking to a thousand-line JavaScript library as evidence that string > template can be used securely pretty much proves my point: it's hard > to use string templates securely. That means that most authors won't > use them securely and will write code that's full of XSS. > I'd like to kindly ask that you stop approaching this conversation as though browsers and the web are the only client of the EcmaScript specification. The language serves to provide primitives that can be used to compose higher level abstractions, eg. DOM APIs with whatever level of security the domain problem requires. I've cc'ed Mark Miller, an expert in PL security and co-designer of ES6 template strings, so he can share his thoughts here. Rick > > Adam > >Received on Friday, 8 March 2013 02:37:38 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:08 UTC