RE: E4H and constructing DOMs

From: Adam Barth [mailto:w3c@adambarth.com] 

> Right, that's why the example in my first email is XSS:

>     var firstName = [...];
>     var lastName = [...];
>     header.innerHTML = `<h1>Welcome ${ firstName } ${ lastName }!</h1>`;

> Whereas the E4H equivalent would not be:

>     var firstName = [...];
>     var lastName = [...];
>     header.appendChild(@<h1>Welcome { firstName } { lastName }!</h1>);


I must be missing something, but from my reading you are not gaining anything in the ES4H example over the string templates example, if of course you modify the last line to be

    header.innerHTML = html`<h1>Welcome ${ firstName } ${ lastName }!</h1>`;

In particular, as has been explained in this thread a few times, there's no reason why browsers can't ship a built-in `html` template handler that does the same AST-based DOM parsing on the passed template string that ES4H would do on the source string following the @-sign, and subsequently returns the `outerHTML` of the resulting DOM element. Indeed, since string templates don't even need to return strings, you could do

    header.appendChild(htmlel`<h1>Welcome ${ firstName } ${ lastName }!</h1>`);

where `htmlel` just returns an HTML element constructed using that same algorithm (instead of the `outerHTML` of that element).

At this point it seems like you are bikeshedding over `@` vs. `htmlel` or `{}` vs. `${}`, which leads me to believe I must be missing your argument, especially since you emphasize you're not wedded to ES4H and thus presumably not wedded to `@` or `{}`. 

Look forward to hearing what I missed!

Received on Saturday, 9 March 2013 02:05:25 UTC