[whatwg] On separation of code and data
jbanes at gmail.com
Thu Jun 7 07:00:59 PDT 2007
You may know this already, but the on* handlers have been deprecated and
replaced with the DOM 2 Events* standard. So instead of doing 'onclick =
"DoFunction()"' the programmer should be calling
DoFunction, false)". If I understand you correctly, this effectively
achieves your "no code in data" request. At least as far as the standards
For what it's worth, I'm not certain that keeping code and data separate
fixes the security issues with XSS. For example, Fortify Software released a
src="/path/to/AJAX.json"></script>' tag, then captures the data present in
the object created.
You can read about the full exploit here:
Such problems go above and beyond the issues present in mixing code with
data, and therefore require more sophisticated security models.
* Microsoft has yet to fully support the DOM 2 standard. As a result, IE
does not support addEventListener. It does support
DoFunction)" which effectively achieves the same goal.
On 6/7/07, Pieter Ceelen <ceelen.p at gmail.com> wrote:
> Thus instead of creating
> <a href=# onclick="DoFunction()" id=123 >
> we write
> <a href=# id=123 >
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg