[whatwg] Web Forms 2.0 comments

Wed Jun 23 02:42:30 PDT 2004

On Tue, 15 Jun 2004, Ian Bicking wrote:
>>
>> Ouch, good point, a template might well include user-entered data that
>> might match that string. For that matter a script might contain [foo]
>> which happens to be the ID of the template.
>
> Well, it could be done like boundaries in MIME -- you don't provide an
> quoting mechanism, but you allow for explicit replacement values that
> can be arbitrarily unlikely to occur.  E.g.:
>
> <tr template="whatever" template-replace="somelongstring">
>   <input name="phone_somelongstring"...>
> </tr>
>
> This is obnoxious, but at least explicit and potentially robust (but
> only potentially, not necessarily).

Yeah. For now I've simply changed the spec to say that if an attribute
starts with the magic string "[]", then it is not processed (except that
that leading string is stripped). This lets you mark attributes as needing
to be left alone in case you do have this problem of tainted data.

Of course this still doesn't help if someone wants to just import a stack
of HTML into the template, but then in such scenarios I don't know that
any solution would really work.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'