W3C home > Mailing lists > Public > public-script-coord@w3.org > January to March 2013

Re: E4H and constructing DOMs

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sun, 10 Mar 2013 17:20:43 +0100
To: "Mark S. Miller" <erights@google.com>
Cc: <public-script-coord@w3.org>
Message-ID: <1abpj85nepnpng7eldou5o223u9valfgo4@hive.bjoern.hoehrmann.de>
* Mark S. Miller wrote:
>This delays the actual quasi processing until forced, at which time the
>context of forcing provides the knowledge of which micro-language to use.
>Many languages, including HTML, have many different parsing contexts, each
>with its own escaping conventions, etc. The start symbol in the grammar for
>each of these parsing contexts forms what I am here calling a
>micro-language. By having the default quasi handler delay quasi processing
>this way, and to obtain the quasi handler for the micro language from the
>quasi handler of the enclosing macro language, the end programmer is
>relieved of the need to remember the names of these micro languages.

Sounds like the idea is to have:

  var divA = `...`;
  var divB = `...`;
  element.innerHTML = divA;        // safe
  element.innerHTML = divB;        // safe
  element.innerHTML = divA + divB; // ?

If the `+` operator stringifies divA and divB then the last line works
as intended most of the time, but it might be exploitable. Having to
remember the names for the intended escape mode does not seem to be a
big problem (and if it was, isn't that actually a reason to have it in
the code for the benefit of later readers?) so, sure, this could catch
some errors, but it does not help much writing correct code.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Sunday, 10 March 2013 16:21:12 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:08 UTC