On 28/04/2014 08:16, Alp Toker wrote:
When the implementation starts to add HTML5 rules and JavaScript validators in libclang(!) while the basic one-liner comment parsing isn't yet dogfoodable due to performance issues it's worth taking a step back. Seriously, let's fix this.
On this point, I feel strongly that any HTML sanitizing facilities or cross-site scripting checks should be removed from the repository. Instead document the fact that HTML output isn't trusted and must be sanitized before being sent to the user's browser.
As you said in your own commit log, "going over all of the HTML5 spec requires a significant amount of time" and what's in-tree is incomplete and insecure -- so why attempt to do it in the compiler when every web framework in existence already has a quality implementation?
Alp. -- http://www.nuanti.com the browser experts _______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
