[whatwg] XSS safe templating
Maciej Stachowiak
mjs at apple.com
Thu Mar 11 00:38:16 PST 2010
On Mar 10, 2010, at 9:52 AM, Boris Zbarsky wrote:
> On 3/10/10 12:45 PM, Mike Samuel wrote:
>>> FWIW, in Gecko currently, the stringification happens a few
>>> abstraction layers away from the parser, so implementing your
>>> suggestion would involve punching holes in those abstractions.
>>
>> Ah, so there's a layer that sits between the XPCOM object and the JS
>> Host object that knows a DOMString is expected, and does the JS foo
>> necessary to convert to a string?
>
> That's correct. The C++ object just implements a method as declared
> in the DOM IDL; there is a glue layer responsible for coercing the
> arguments actually given to the types declared in the IDL. This
> isn't just the case in Gecko; Webkit+JSC has similar behavior.
Correct, the type coercion is autogenerated code based on IDL.
> I'd assume that Webkit+V8 does as well, though I haven't looked at
> the code.
V8's DOM bindings are autogenerated from the same IDL and in roughly
the same way as the ones for JavaScriptCore, so yes.
Regards,
Maciej
More information about the whatwg
mailing list