[whatwg] XSS safe templating

Mike Samuel mikesamuel at gmail.com
Tue Feb 23 10:07:20 PST 2010


I'm working with EcmaScript TC39 trying to allow for experimentation
with new content generation techniques in JavaScript.
There's one missing piece which would let template language authors
experiment with varying degrees of XSS-safety, and I was hoping that a
change like the below might make it into HTML5.

When user-code does
   document.write(value), myElement.innerHTML = value, etc.
and the value is an object, currently it is coerced to a string by
indirectly calling the toString method.  I would like the toString
method to be called with 'html ' + the current HTML 5 insertion mode
to give structured template return values a chance to apply
appropriate escaping schemes.  For attribute sets, it would be nice to
call toString with the argument 'attr ' + attribute name.  This would
be backwards compatible as toString implementations ignore parameters
(modulo Number).

To flesh out this proposal, what areas should I pay attention to?

cheers,
mike



More information about the whatwg mailing list