Re: E4H and constructing DOMs from Ojan Vafai on 2013-03-10 (public-script-coord@w3.org from January to March 2013)

From: Ojan Vafai <ojan@chromium.org>
Date: Sat, 9 Mar 2013 23:57:35 -0800
To: Maciej Stachowiak <mjs@apple.com>
Cc: Brendan Eich <brendan@secure.meer.net>, Allen Wirfs-Brock <allen@wirfs-brock.com>, Adam Barth <w3c@adambarth.com>, Domenic Denicola <domenic@domenicdenicola.com>, Jonas Sicking <jonas@sicking.cc>, Anne van Kesteren <annevk@annevk.nl>, Rick Waldron <waldron.rick@gmail.com>, Adam Klein <adamk@chromium.org>, Ian Hickson <ian@hixie.ch>, "rafaelw@chromium.org" <rafaelw@chromium.org>, Alex Russell <slightlyoff@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <CANMdWTvdYyE9a18_wNNsJ2vYvkS75K45NuJho-ufygvjDT9r_w@mail.gmail.com>

On Sat, Mar 9, 2013 at 5:43 PM, Maciej Stachowiak <mjs@apple.com> wrote:

> On Mar 9, 2013, at 2:21 PM, Ojan Vafai <ojan@chromium.org> wrote:
>
> Also, we don't get the static error checking of of E4H. Although, maybe
> browsers could special case the html handler and do static error checking.
>
> Does the desire for static checking imply that the html`` syntax would
> only accept valid HTML? Because an HTML parser can parse anything, so I'm
> not sure in what cases static checking should produce an error.
>

The E4H algorithm doesn't use the HTML parser. It translates what is
basically XML to a bunch of appendChild/setAttribute calls. This has the
advantage of being simple and also allowing you to create whatever sort of
DOM that you could from script. None of the HTML context rules. The
alternative would be to use the HTML parser in the a context-free mode. I
don't remember the result of the million discussions we had about this for
the <template> element and whether that would work for this use-case. As
you say, if we were to use the HTML parser, then there couldn't be any
static error checking.

On Sat, Mar 9, 2013 at 7:15 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>
> On Mar 9, 2013, at 6:26 PM, Brendan Eich <brendan@secure.meer.net> wrote:
>
> Allen Wirfs-Brock wrote:
>
> On Mar 9, 2013, at 5:29 PM, Brendan Eich wrote:
>
> No, the idea Ojan put forth is that the tag-less form should call a
> default handler other than String, in browsers. Specifically it would do a
> checked form of HTML parsing that threw if interpolations were not complete
> and well-formed subtrees.
>
>
> Platform specific processing for tag-less string templates would be
> terrible for cross platform interoperability.
>
>
> You mean portability.
>
>
> I think Ojan's proposal was to have *no* tag-less string templates, which
> wouldn't have a portability issue.
>

This is what I meant, but I'd be fine with any of these options. I buy
Adam's argument that the default handler returning a string is an
unnecessary footgun.

I'd also be fine with just shipping E4H.

> Another possibility is to have no tag-less string templates in the core
> language, but add them only for the browser-hosted binding, pointing to an
> AST-based HTML template that returns a DOM tree.
>
> I suspect that even for many non-browser-hosted applications of JS, string
> templating with a very convenient syntax would be a security footgun. I
> would expect this to be true for Node.js, certainly.
>
> Regards,
> Maciej
>
>

Received on Sunday, 10 March 2013 07:58:24 UTC