@BrendanEich : but now the *new* feature isn't any safer by default.
/cc @mvsamuel @ErikArvidsson @bradneuberg @wycats
-
-
Replying to @slightlylate
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats Rejecting tagless template strings wouldn't reduce InnerHTML bugs. (I repeat.)3 replies 0 retweets 0 likes -
Replying to @BrendanEich
@BrendanEich: yes, repeatedly, without evidence; then advocated the fail-open choice /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats1 reply 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats Evidence: your employer *mandates* tools to audit InnerHTML uses, no matter RHS.2 replies 0 retweets 0 likes -
Replying to @BrendanEich
@slightlylate@mvsamuel@ErikArvidsson@bradneuberg@wycats No safe-by-design in rejecting tagless, only less usability/same InnerHTML risk.1 reply 0 retweets 2 likes -
Replying to @BrendanEich
@BrendanEich : you keep saying that; I'll keep collecting instances of this#fail. Fair? /cc@mvsamuel@ErikArvidsson@bradneuberg@wycats4 replies 0 retweets 0 likes -
Replying to @slightlylate
@slightlylate@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats I.e. String.raw`string: ${string}` *is* tagged, but you know...1 reply 2 retweets 2 likes -
Replying to @RReverser
@RReverser: You had to work to do that wrong. Friction matters. /cc@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats1 reply 0 retweets 2 likes -
Replying to @slightlylate
@slightlylate Nope. It's rather work to find tag that *would* escape HTML.@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats3 replies 0 retweets 0 likes -
Replying to @RReverser
@slightlylate (at least I don't know any atm, unless I try and google for it)@BrendanEich@mvsamuel@ErikArvidsson@bradneuberg@wycats1 reply 0 retweets 0 likes
@RReverser: *now you're playing a better game*. Best is @cramforce et al's
/cc @BrendanEich @mvsamuel @ErikArvidsson @bradneuberg @wycats
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.