On Thu, 10 May 2012, Scott González wrote:
> On Thu, May 10, 2012 at 7:01 PM, Ian Hickson <ian@hixie.ch> wrote:
> >
> > But I'm very skeptical about creating new APIs to encourage authors to
> > use injection-prone, non-type-checked, direct string manipulation in
> > script to generate DOM trees.
>
> Do you realize that a very large percentage of developers are already
> doing this and will continue to do it regardless of whether UAs provide
> this functionality?
Sure. Lots of sites have XSS vulnerabilities, too.
Back in the day, <font> was used everywhere, as were <table>s for layout.
Over time, Web authors have moved away from such practices. Today, many
Web authors use innerHTML. I see no reason to believe that they wouldn't
move away from doing so, if we provide them with better tools.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'