Re: html template string handler WAS: E4H and constructing DOMs from Adam Barth on 2013-03-11 (public-script-coord@w3.org from January to March 2013)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 11 Mar 2013 12:12:21 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Ojan Vafai <ojan@chromium.org>, "public-script-coord@w3.org" <public-script-coord@w3.org>
Message-ID: <CAJE5ia8ZaXhwQb5xA0zMRkQT4EACxF=vmaswY8L74n_cFousWw@mail.gmail.com>

On Mon, Mar 11, 2013 at 12:01 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Mon, 11 Mar 2013, Ojan Vafai wrote:
>> I see two options:
>> 1. Do E4H style parsing. (http://www.hixie.ch/specs/e4h/strawman)
>> 2. Do <template> style parsing through the regular HTML parser.
>
> The big disadvantage of #2 is that the HTML parser really isn't a good
> match for dynamic DOM creation. For example, there'd be no way to do the
> ?= feature of E4X with an HTML parser (in E4X, @<input disabled?={foo}/>
> will create an <input> element with a disabled attribute if |foo|
> evaluates to true, and without one otherwise).
>
> Also, I don't really see how to do safe injection with an HTML parser
> without an additional layer on top -- for example, what would you do with
> "<div {foo}>" or "<div></{foo}>" and so on?

I'd recommend restricting untrusted data to text nodes.  That means we
wouldn't be able to support those sorts of templates becaue {foo}
would need to expand to something other than a text node.

Adam


> It's also not clear how you would build up a DOM from other parts that
> have been previously parsed or created via JS. For example, today with DOM
> calls you can do:
>
>    var input = document.createElement('input');
>    input.value = foo;
>    // ...
>    var div = wrapInput(input);
>
>    function wrapInput(input) {
>      var div = document.createElement('div');
>      div.appendChild(document.createTextNode('Name: '));
>      div.appendChild(input);
>      div.appendChild(document.createTextNode(' (required)'));
>      return div;
>    }
>
> In E4H this would translate to:
>
>    var input = @<input value={foo}/>;
>    // ...
>    var div = wrapInput(input);
>
>    function wrapInput(input) {
>      var div = @<div/>;
>      div.appendChild(<>Name: </>);
>      div.appendChild(input);
>      div.appendChild(<> (required)</>);
>      return div;
>    }
>
> (Or we could extend E4H to support substituting DOM nodes into element
> contents. I haven't done that in the strawman, but it seems reasonable to
> support, at a first glance.)
>
> I don't see how you could really do this with a parser, short of invoking
> it a bunch of times for little snippets, which seems likely to be expensive.
>
>
> (How would the above work in quasis? Would it invoke the HTML parser?)
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>

Received on Monday, 11 March 2013 19:13:21 UTC