Reviewers: MarkM, Description: Script tags support a language attribute which causes a different language interpreter to be used on the contents of the script block. This increases the attack surface that needs to be understood. An alternative is to translate source languages into a single or a small number of target languages which can then be understood and secured.
This mechanism would also be useful to simplify the composition of a web page that has a mix of trusted (that needs to be innocent-transformed) code and untrusted (that needs to be cajoled) as well as allow a page to be coded in a mix of langauges (e2js, caja, gwt, flapjacks). Please review this at http://codereview.appspot.com/1529041/show Affected files: M build.xml A src/com/google/caja/service/extended.js
