W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] XSS safe templating

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 10 Mar 2010 12:52:03 -0500
Message-ID: <4B97DC43.3070203@mit.edu>
On 3/10/10 12:45 PM, Mike Samuel wrote:
>> FWIW, in Gecko currently, the stringification happens a few abstraction layers away from the parser, so implementing your suggestion would involve punching holes in those abstractions.
>
> Ah, so there's a layer that sits between the XPCOM object and the JS
> Host object that knows a DOMString is expected, and does the JS foo
> necessary to convert to a string?

That's correct.  The C++ object just implements a method as declared in 
the DOM IDL; there is a glue layer responsible for coercing the 
arguments actually given to the types declared in the IDL.  This isn't 
just the case in Gecko; Webkit+JSC has similar behavior.  I'd assume 
that Webkit+V8 does as well, though I haven't looked at the code.

-Boris
Received on Wednesday, 10 March 2010 09:52:03 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC