[whatwg] XSS safe templating

Boris Zbarsky bzbarsky at MIT.EDU
Wed Mar 10 09:52:03 PST 2010


On 3/10/10 12:45 PM, Mike Samuel wrote:
>> FWIW, in Gecko currently, the stringification happens a few abstraction layers away from the parser, so implementing your suggestion would involve punching holes in those abstractions.
>
> Ah, so there's a layer that sits between the XPCOM object and the JS
> Host object that knows a DOMString is expected, and does the JS foo
> necessary to convert to a string?

That's correct.  The C++ object just implements a method as declared in 
the DOM IDL; there is a glue layer responsible for coercing the 
arguments actually given to the types declared in the IDL.  This isn't 
just the case in Gecko; Webkit+JSC has similar behavior.  I'd assume 
that Webkit+V8 does as well, though I haven't looked at the code.

-Boris


More information about the whatwg mailing list