W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2004

[whatwg] Web Forms 2.0 comments

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 23 Jun 2004 09:42:30 +0000 (UTC)
Message-ID: <Pine.LNX.4.58.0406230929130.53@dhalsim.dreamhost.com>
On Tue, 15 Jun 2004, Ian Bicking wrote:
>>
>> Ouch, good point, a template might well include user-entered data that
>> might match that string. For that matter a script might contain [foo]
>> which happens to be the ID of the template.
>
> Well, it could be done like boundaries in MIME -- you don't provide an
> quoting mechanism, but you allow for explicit replacement values that
> can be arbitrarily unlikely to occur.  E.g.:
>
> <tr template="whatever" template-replace="somelongstring">
>   <input name="phone_somelongstring"...>
> </tr>
>
> This is obnoxious, but at least explicit and potentially robust (but
> only potentially, not necessarily).

Yeah. For now I've simply changed the spec to say that if an attribute
starts with the magic string "[]", then it is not processed (except that
that leading string is stripped). This lets you mark attributes as needing
to be left alone in case you do have this problem of tainted data.

Of course this still doesn't help if someone wants to just import a stack
of HTML into the template, but then in such scenarios I don't know that
any solution would really work.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 23 June 2004 02:42:30 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:34 UTC