Re: E4H and constructing DOMs from Maciej Stachowiak on 2013-03-10 (public-script-coord@w3.org from January to March 2013)

From: Maciej Stachowiak <mjs@apple.com>
Date: Sat, 09 Mar 2013 19:15:50 -0800
To: Brendan Eich <brendan@secure.meer.net>
Cc: Allen Wirfs-Brock <allen@wirfs-brock.com>, Ojan Vafai <ojan@chromium.org>, Adam Barth <w3c@adambarth.com>, Domenic Denicola <domenic@domenicdenicola.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-id: <8385330E-22F5-4B9A-B4E1-9525D2743732@apple.com>

On Mar 9, 2013, at 6:26 PM, Brendan Eich <brendan@secure.meer.net> wrote:

> Allen Wirfs-Brock wrote:
>> On Mar 9, 2013, at 5:29 PM, Brendan Eich wrote:
>>> No, the idea Ojan put forth is that the tag-less form should call a default handler other than String, in browsers. Specifically it would do a checked form of HTML parsing that threw if interpolations were not complete and well-formed subtrees. 
>> 
>> Platform specific processing for tag-less string templates would be terrible for cross platform interoperability.
> 
> You mean portability.

I think Ojan's proposal was to have *no* tag-less string templates, which wouldn't have a portability issue.

Another possibility is to have no tag-less string templates in the core language, but add them only for the browser-hosted binding, pointing to an AST-based HTML template that returns a DOM tree.

I suspect that even for many non-browser-hosted applications of JS, string templating with a very convenient syntax would be a security footgun. I would expect this to be true for Node.js, certainly.

Regards,
Maciej

Received on Sunday, 10 March 2013 03:16:21 UTC