Brendan Eich wrote:
> I'm not kidding, and I'm not saying some web developers should not have
> the ability to script filtering of user-generated content. The expertise
> to do this well, and to track evolving browser features, is rare.
Possibly true. But so is the ability to write decent and well-designed
Ajax libraries. So people do it and borrow from others.
Why could it not be that most web developers used canned filtering
functions supplied by best practice websites? One for a hashing scheme
("stick your hashes in this array"), one for a jail-type scheme ("just
set class="jail" on your <div>") and one for a Script-Keys type scheme
("put your secret script key in this variable"). Or whatever.
> Separately, more JS APIs including standard crypto module APIs would be
> a fine thing. This idea has not come up AFAIK in http://whatwg.org yet
> (I may have missed a post to the open mailing list).
That would indeed be a fine thing. I think there's now JS access to
crypto in the Mozilla platform; perhaps that's a good start for an API
definition.
Gerv
_______________________________________________
dev-security mailing list
[EMAIL PROTECTED]
https://lists.mozilla.org/listinfo/dev-security
