[whatwg] XSS safe templating
mjs at apple.com
Thu Mar 11 00:38:16 PST 2010
On Mar 10, 2010, at 9:52 AM, Boris Zbarsky wrote:
> On 3/10/10 12:45 PM, Mike Samuel wrote:
>>> FWIW, in Gecko currently, the stringification happens a few
>>> abstraction layers away from the parser, so implementing your
>>> suggestion would involve punching holes in those abstractions.
>> Ah, so there's a layer that sits between the XPCOM object and the JS
>> Host object that knows a DOMString is expected, and does the JS foo
>> necessary to convert to a string?
> That's correct. The C++ object just implements a method as declared
> in the DOM IDL; there is a glue layer responsible for coercing the
> arguments actually given to the types declared in the IDL. This
> isn't just the case in Gecko; Webkit+JSC has similar behavior.
Correct, the type coercion is autogenerated code based on IDL.
> I'd assume that Webkit+V8 does as well, though I haven't looked at
> the code.
V8's DOM bindings are autogenerated from the same IDL and in roughly
More information about the whatwg