- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 23 Jun 2004 09:42:30 +0000 (UTC)
On Tue, 15 Jun 2004, Ian Bicking wrote: >> >> Ouch, good point, a template might well include user-entered data that >> might match that string. For that matter a script might contain [foo] >> which happens to be the ID of the template. > > Well, it could be done like boundaries in MIME -- you don't provide an > quoting mechanism, but you allow for explicit replacement values that > can be arbitrarily unlikely to occur. E.g.: > > <tr template="whatever" template-replace="somelongstring"> > <input name="phone_somelongstring"...> > </tr> > > This is obnoxious, but at least explicit and potentially robust (but > only potentially, not necessarily). Yeah. For now I've simply changed the spec to say that if an attribute starts with the magic string "[]", then it is not processed (except that that leading string is stripped). This lets you mark attributes as needing to be left alone in case you do have this problem of tainted data. Of course this still doesn't help if someone wants to just import a stack of HTML into the template, but then in such scenarios I don't know that any solution would really work. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 23 June 2004 02:42:30 UTC