W3C home > Mailing lists > Public > whatwg@whatwg.org > March 2010

[whatwg] XSS safe templating

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 11 Mar 2010 00:38:16 -0800
Message-ID: <E86EECC6-6A44-436C-948D-C9CA5716ACF5@apple.com>

On Mar 10, 2010, at 9:52 AM, Boris Zbarsky wrote:

> On 3/10/10 12:45 PM, Mike Samuel wrote:
>>> FWIW, in Gecko currently, the stringification happens a few  
>>> abstraction layers away from the parser, so implementing your  
>>> suggestion would involve punching holes in those abstractions.
>>
>> Ah, so there's a layer that sits between the XPCOM object and the JS
>> Host object that knows a DOMString is expected, and does the JS foo
>> necessary to convert to a string?
>
> That's correct.  The C++ object just implements a method as declared  
> in the DOM IDL; there is a glue layer responsible for coercing the  
> arguments actually given to the types declared in the IDL.  This  
> isn't just the case in Gecko; Webkit+JSC has similar behavior.

Correct, the type coercion is autogenerated code based on IDL.

>  I'd assume that Webkit+V8 does as well, though I haven't looked at  
> the code.

V8's DOM bindings are autogenerated from the same IDL and in roughly  
the same way as the ones for JavaScriptCore, so yes.

Regards,
Maciej
Received on Thursday, 11 March 2010 00:38:16 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC