[whatwg] XSS safe templating

Mike Samuel mikesamuel at gmail.com
Fri Mar 5 13:57:05 PST 2010


Is this the right list for this kind of question?

2010/2/23 Mike Samuel <mikesamuel at gmail.com>:
> I'm working with EcmaScript TC39 trying to allow for experimentation
> with new content generation techniques in JavaScript.
> There's one missing piece which would let template language authors
> experiment with varying degrees of XSS-safety, and I was hoping that a
> change like the below might make it into HTML5.
>
> When user-code does
>    document.write(value), myElement.innerHTML = value, etc.
> and the value is an object, currently it is coerced to a string by
> indirectly calling the toString method.  I would like the toString
> method to be called with 'html ' + the current HTML 5 insertion mode
> to give structured template return values a chance to apply
> appropriate escaping schemes.  For attribute sets, it would be nice to
> call toString with the argument 'attr ' + attribute name.  This would
> be backwards compatible as toString implementations ignore parameters
> (modulo Number).
>
> To flesh out this proposal, what areas should I pay attention to?
>
> cheers,
> mike
>


More information about the whatwg mailing list