Someone recently requested a nice way to include a <meta name="viewport"
content="..."> tag in Ur/Web. It doesn't seem safe to expose <meta> in
its most general form, with type [string] for each attribute, since it
seems like browsers could interpret those strings in quite arbitrary
ways, which goes against Ur/Web's philosophy about implicit
interpretation of strings as programs.
Are there any opinions, then, on the right way to expose this tag?
My first thought is to add an application-level whitelist of which
<meta> names are allowed, just as with HTTP header names. Then the
'content' attribute could be exposed as [string], while the 'name'
attribute would have an abstract type of allowable names. The programmer
would need to be careful not to whitelist names that can lead to mayhem.
_______________________________________________
Ur mailing list
[email protected]
http://www.impredicative.com/cgi-bin/mailman/listinfo/ur
