[whatwg] XSS safe templating

Maciej Stachowiak mjs at apple.com
Thu Mar 11 00:38:16 PST 2010


On Mar 10, 2010, at 9:52 AM, Boris Zbarsky wrote:

> On 3/10/10 12:45 PM, Mike Samuel wrote:
>>> FWIW, in Gecko currently, the stringification happens a few  
>>> abstraction layers away from the parser, so implementing your  
>>> suggestion would involve punching holes in those abstractions.
>>
>> Ah, so there's a layer that sits between the XPCOM object and the JS
>> Host object that knows a DOMString is expected, and does the JS foo
>> necessary to convert to a string?
>
> That's correct.  The C++ object just implements a method as declared  
> in the DOM IDL; there is a glue layer responsible for coercing the  
> arguments actually given to the types declared in the IDL.  This  
> isn't just the case in Gecko; Webkit+JSC has similar behavior.

Correct, the type coercion is autogenerated code based on IDL.

>  I'd assume that Webkit+V8 does as well, though I haven't looked at  
> the code.

V8's DOM bindings are autogenerated from the same IDL and in roughly  
the same way as the ones for JavaScriptCore, so yes.

Regards,
Maciej




More information about the whatwg mailing list