- From: Mike Samuel <mikesamuel@gmail.com>
- Date: Tue, 23 Feb 2010 18:07:20 +0000
I'm working with EcmaScript TC39 trying to allow for experimentation with new content generation techniques in JavaScript. There's one missing piece which would let template language authors experiment with varying degrees of XSS-safety, and I was hoping that a change like the below might make it into HTML5. When user-code does ? ?document.write(value), myElement.innerHTML = value, etc. and the value is an object, currently it is coerced to a string by indirectly calling the toString method. ?I would like the toString method to be called with 'html ' + the current HTML 5 insertion mode to give structured template return values a chance to apply appropriate escaping schemes. ?For attribute sets, it would be nice to call toString with the argument 'attr ' + attribute name. ?This would be backwards compatible as toString implementations ignore parameters (modulo Number). To flesh out this proposal, what areas should I pay attention to? cheers, mike
Received on Tuesday, 23 February 2010 10:07:20 UTC