Re: XBL2 from Adam Barth on 2010-09-03 (public-webapps@w3.org from July to September 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 3 Sep 2010 14:17:34 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org, hyatt@apple.com
Message-ID: <AANLkTimdn34WreDsnHrObhOmaL-JXJTiAQ1e9Gzj0UfS@mail.gmail.com>

>From skimming the document, it wasn't immediately clear to me how to
instantiate one of these object.  From a security point of view, it
would be desirable if the content that gets filled into the template
where syntactically separate from the template itself.  That would
help mitigate cross-site scripting in much the same way that prepared
SQL statements help mitigate SQL injection.

Adam


On Thu, Sep 2, 2010 at 6:23 PM, Ian Hickson <ian@hixie.ch> wrote:
>
> Since XBL2 wasn't getting much traction, I've taken an axe to the spec and
> made a number of changes to the spec based on some discussions with some
> browser vendors:
>
>   http://dev.w3.org/2006/xbl2/Overview.html
>
> The main changes are simplification: I've dropped namespace support, made
> it part of HTML rather than its own language, dropped <style> and <script>
> in favour of HTML equivalents, dropped all the <handler> syntactic sugar
> (and redirected event forwarding to internal object instead), dropped
> <preload>, dropped mentions of XForms and XML Events, and so on. I've
> updated all the examples to use the new syntax, so if you're curious about
> the differences, comparing the examples in the spec above to those in the
> TR version is probably a good way to get an idea of what I did.
>
> If this ends up being more successful than the previous work on this
> specification, I'll have to merge it with the HTML spec to more properly
> define how it works. Right now it leaves a lot of the detail a bit vague
> (e.g. integration with the event loop, the parser, authoring conformance
> definitions, etc). If this happens, I don't yet know how much this will
> lend itself to being extracted back out into a separate module (for
> publication by this working group), versus being just published as a core
> part of the HTML spec, but I will be happy to update the group on this
> matter as it becomes clearer.
>
> I don't think the draft above would be suitable for publication as a TR/
> draft, because of the aforementioned rough edges. I mostly just wanted to
> provide this for discussion, to see whether people considered this a move
> in a good direction or a significant step backwards.
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>
>

Received on Friday, 3 September 2010 21:18:47 UTC