Re: XBL2 from Adam Barth on 2010-09-03 (public-webapps@w3.org from July to September 2010)

From: Adam Barth <w3c@adambarth.com>
Date: Fri, 3 Sep 2010 16:30:22 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps@w3.org, hyatt@apple.com
Message-ID: <AANLkTi=hvKKSCaSK8si+HytoMbF8qiyb6o52Y3pvHaRX@mail.gmail.com>

I chatted with Ian on IRC.  I misunderstood the layer at which XBL
operates.  XBL operates on already-parsed DOM trees, not on unparsed
characters.

Adam


On Fri, Sep 3, 2010 at 2:17 PM, Adam Barth <w3c@adambarth.com> wrote:
> From skimming the document, it wasn't immediately clear to me how to
> instantiate one of these object.  From a security point of view, it
> would be desirable if the content that gets filled into the template
> where syntactically separate from the template itself.  That would
> help mitigate cross-site scripting in much the same way that prepared
> SQL statements help mitigate SQL injection.
>
> Adam
>
>
> On Thu, Sep 2, 2010 at 6:23 PM, Ian Hickson <ian@hixie.ch> wrote:
>>
>> Since XBL2 wasn't getting much traction, I've taken an axe to the spec and
>> made a number of changes to the spec based on some discussions with some
>> browser vendors:
>>
>>   http://dev.w3.org/2006/xbl2/Overview.html
>>
>> The main changes are simplification: I've dropped namespace support, made
>> it part of HTML rather than its own language, dropped <style> and <script>
>> in favour of HTML equivalents, dropped all the <handler> syntactic sugar
>> (and redirected event forwarding to internal object instead), dropped
>> <preload>, dropped mentions of XForms and XML Events, and so on. I've
>> updated all the examples to use the new syntax, so if you're curious about
>> the differences, comparing the examples in the spec above to those in the
>> TR version is probably a good way to get an idea of what I did.
>>
>> If this ends up being more successful than the previous work on this
>> specification, I'll have to merge it with the HTML spec to more properly
>> define how it works. Right now it leaves a lot of the detail a bit vague
>> (e.g. integration with the event loop, the parser, authoring conformance
>> definitions, etc). If this happens, I don't yet know how much this will
>> lend itself to being extracted back out into a separate module (for
>> publication by this working group), versus being just published as a core
>> part of the HTML spec, but I will be happy to update the group on this
>> matter as it becomes clearer.
>>
>> I don't think the draft above would be suitable for publication as a TR/
>> draft, because of the aforementioned rough edges. I mostly just wanted to
>> provide this for discussion, to see whether people considered this a move
>> in a good direction or a significant step backwards.
>>
>> --
>> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>>
>>
>

Received on Friday, 3 September 2010 23:31:34 UTC