W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] XSS safe templating

From: Mike Samuel <mikesamuel@gmail.com>
Date: Fri, 5 Mar 2010 21:57:05 +0000
Message-ID: <178b8d441003051357g7b56babem8a68da5bce7313eb@mail.gmail.com>
Is this the right list for this kind of question?

2010/2/23 Mike Samuel <mikesamuel at gmail.com>:
> I'm working with EcmaScript TC39 trying to allow for experimentation
> with new content generation techniques in JavaScript.
> There's one missing piece which would let template language authors
> experiment with varying degrees of XSS-safety, and I was hoping that a
> change like the below might make it into HTML5.
>
> When user-code does
> ? ?document.write(value), myElement.innerHTML = value, etc.
> and the value is an object, currently it is coerced to a string by
> indirectly calling the toString method. ?I would like the toString
> method to be called with 'html ' + the current HTML 5 insertion mode
> to give structured template return values a chance to apply
> appropriate escaping schemes. ?For attribute sets, it would be nice to
> call toString with the argument 'attr ' + attribute name. ?This would
> be backwards compatible as toString implementations ignore parameters
> (modulo Number).
>
> To flesh out this proposal, what areas should I pay attention to?
>
> cheers,
> mike
>
Received on Friday, 5 March 2010 13:57:05 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC