W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] XSS safe templating

From: Mike Samuel <mikesamuel@gmail.com>
Date: Tue, 23 Feb 2010 18:07:20 +0000
Message-ID: <178b8d441002231007p23e31dbna433050b9843f7ef@mail.gmail.com>
I'm working with EcmaScript TC39 trying to allow for experimentation
with new content generation techniques in JavaScript.
There's one missing piece which would let template language authors
experiment with varying degrees of XSS-safety, and I was hoping that a
change like the below might make it into HTML5.

When user-code does
? ?document.write(value), myElement.innerHTML = value, etc.
and the value is an object, currently it is coerced to a string by
indirectly calling the toString method. ?I would like the toString
method to be called with 'html ' + the current HTML 5 insertion mode
to give structured template return values a chance to apply
appropriate escaping schemes. ?For attribute sets, it would be nice to
call toString with the argument 'attr ' + attribute name. ?This would
be backwards compatible as toString implementations ignore parameters
(modulo Number).

To flesh out this proposal, what areas should I pay attention to?

Received on Tuesday, 23 February 2010 10:07:20 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC