@slightlylate I'm sure you told someone so (a trait we share :-|) but what about security? Cc: @mvsamuel @ErikArvidsson @bradneuberg @wycats
-
-
Replying to @BrendanEich
@BrendanEich: that's the point. I'm already seeing innerHTML = .... bugs in sample code. /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats4 replies 1 retweet 2 likes -
Replying to @slightlylate
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats Withholding tagless template strings would've meant they'd do same with strings.2 replies 0 retweets 3 likes -
Replying to @BrendanEich
@BrendanEich : but now the *new* feature isn't any safer by default. /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats1 reply 0 retweets 1 like -
Replying to @slightlylate
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats Rejecting tagless template strings wouldn't reduce InnerHTML bugs. (I repeat.)3 replies 0 retweets 0 likes -
Replying to @BrendanEich
@BrendanEich: yes, repeatedly, without evidence; then advocated the fail-open choice /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats1 reply 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats Evidence: your employer *mandates* tools to audit InnerHTML uses, no matter RHS.2 replies 0 retweets 0 likes -
Replying to @BrendanEich
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats No safe-by-design in rejecting tagless, only less usability/same InnerHTML risk.1 reply 0 retweets 2 likes -
Replying to @BrendanEich
@BrendanEich : you keep saying that; I'll keep collecting instances of this#fail. Fair? /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats4 replies 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats I.e. String.raw`string: ${string}` *is* tagged, but you know...1 reply 2 retweets 2 likes
@RReverser: You had to work to do that wrong. Friction matters.
/cc @BrendanEich @mvsamuel @ErikArvidsson @bradneuberg @wycats
-
-
Replying to @slightlylate
@slightlylate Nope. It's rather work to find tag that *would* escape HTML.@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats3 replies 0 retweets 0 likes - 15 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.