[whatwg] XSS safe templating
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Mar 10 09:52:03 PST 2010
On 3/10/10 12:45 PM, Mike Samuel wrote:
>> FWIW, in Gecko currently, the stringification happens a few abstraction layers away from the parser, so implementing your suggestion would involve punching holes in those abstractions.
>
> Ah, so there's a layer that sits between the XPCOM object and the JS
> Host object that knows a DOMString is expected, and does the JS foo
> necessary to convert to a string?
That's correct. The C++ object just implements a method as declared in
the DOM IDL; there is a glue layer responsible for coercing the
arguments actually given to the types declared in the IDL. This isn't
just the case in Gecko; Webkit+JSC has similar behavior. I'd assume
that Webkit+V8 does as well, though I haven't looked at the code.
-Boris
More information about the whatwg
mailing list