[whatwg] XSS safe templating

Henri Sivonen hsivonen at iki.fi
Wed Mar 10 06:38:12 PST 2010

"Mike Samuel" <mikesamuel at gmail.com> wrote:

> I'm working with EcmaScript TC39 trying to allow for experimentation
> with new content generation techniques in JavaScript.
> There's one missing piece which would let template language authors
> experiment with varying degrees of XSS-safety, and I was hoping that
> a
> change like the below might make it into HTML5.

Shouldn't XSS-safe templating use the DOM APIs to generate a tree (fragment) instead of trusting the built-in HTML parser of the browser to behave in a certain way?

> When user-code does
>    document.write(value), myElement.innerHTML = value, etc.
> and the value is an object, currently it is coerced to a string by
> indirectly calling the toString method.  I would like the toString
> method to be called with 'html ' + the current HTML 5 insertion mode
> to give structured template return values a chance to apply
> appropriate escaping schemes.  For attribute sets, it would be nice
> to
> call toString with the argument 'attr ' + attribute name.  This would
> be backwards compatible as toString implementations ignore parameters
> (modulo Number).

What would the object do with this information? Without knowing how you are planning on using this information and filling in the lack of information with my own guesses, my knee jerk reaction is very negative.

FWIW, in Gecko currently, the stringification happens a few abstraction layers away from the parser, so implementing your suggestion would involve punching holes in those abstractions.

Henri Sivonen
hsivonen at iki.fi

More information about the whatwg mailing list