[whatwg] XSS safe templating
mikesamuel at gmail.com
Tue Feb 23 10:07:20 PST 2010
I'm working with EcmaScript TC39 trying to allow for experimentation
There's one missing piece which would let template language authors
experiment with varying degrees of XSS-safety, and I was hoping that a
change like the below might make it into HTML5.
When user-code does
document.write(value), myElement.innerHTML = value, etc.
and the value is an object, currently it is coerced to a string by
indirectly calling the toString method. I would like the toString
method to be called with 'html ' + the current HTML 5 insertion mode
to give structured template return values a chance to apply
appropriate escaping schemes. For attribute sets, it would be nice to
call toString with the argument 'attr ' + attribute name. This would
be backwards compatible as toString implementations ignore parameters
To flesh out this proposal, what areas should I pay attention to?
More information about the whatwg