Re: [webcomponents] Template element parser changes => Proposal for adding DocumentFragment.innerHTML from Ian Hickson on 2012-05-10 (public-webapps@w3.org from April to June 2012)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 10 May 2012 23:10:30 +0000 (UTC)
To: Scott González <scott.gonzalez@gmail.com>
cc: "Tab Atkins Jr." <jackalmage@gmail.com>, Anne van Kesteren <annevk@annevk.nl>, Yehuda Katz <wycats@gmail.com>, Jonas Sicking <jonas@sicking.cc>, Henri Sivonen <hsivonen@iki.fi>, Rafael Weinstein <rafaelw@google.com>, Webapps WG <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1205102308520.25792@ps20323.dreamhostps.com>

On Thu, 10 May 2012, Scott González wrote:
> On Thu, May 10, 2012 at 7:01 PM, Ian Hickson <ian@hixie.ch> wrote:
> > 
> > But I'm very skeptical about creating new APIs to encourage authors to 
> > use injection-prone, non-type-checked, direct string manipulation in 
> > script to generate DOM trees.
> 
> Do you realize that a very large percentage of developers are already 
> doing this and will continue to do it regardless of whether UAs provide 
> this functionality?

Sure. Lots of sites have XSS vulnerabilities, too.

Back in the day, <font> was used everywhere, as were <table>s for layout. 
Over time, Web authors have moved away from such practices. Today, many 
Web authors use innerHTML. I see no reason to believe that they wouldn't 
move away from doing so, if we provide them with better tools.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 10 May 2012 23:10:55 UTC