On Mon, Oct 19, 2009 at 8:39 PM, goosemanjack <
cc...@myspace.com> wrote:
>
> I spoke with the team, and at this point we feel the current spec is
> unworkable. It lacks the detail or the completeness to make it
> practical. Even a trivial implementation requires numerous extensions
> to make it quasi-functional. Given that how the EL behaves at a
> global level is such a pervasive and wide-reaching aspect of OSML in
> general, we must insist on clarity. I reviewed internal conversations
> on this aspect of the spec to see what insight I could gain before
> replying. We've had long-running misgivings about this section in the
> spec, but decided to not oppose it in the 0.9 round in the interest of
> ratifying a version of the spec. We expected to have some data from
> live implementations to use concrete data from when revisiting this
> item. Instead the transition from 0.9 to v.next (we're not willing to
> sign off on this being 1.0 yet) comes with neither group being fully
> 0.9 launched with any depth of data, so we're still shooting from the
> hip.
>
> The feeling over here is that if Shindig wants to pursue auto-escaping
> within the EL, they are free to do so and re-propose it as an
> extension. For now, auto-escaping is unworkable as proposed in the
> spec and will be considered a spec error. There are no complete
> implementations that implement it to a satisfactory workable model and
> inadequate data on usage patterns to warrant it's inclusion.
... and I'd *really* like you to give specific and complete feedback
about why it is "unworkable" and a "spec error", when it's in the spec
and being used in Shindig to serve huge numbers of requests every day.
I think you're talking about how to do escaping of HTML vs.
Javascript vs. CSS, but I'm just guessing. (And it's entirely true
that Shindig hasn't tackled that, but I don't see it as fundamentally
impossible.)
You've continually stated it just doesn't work, but haven't given us
the hard details *why* it doesn't, which makes it impossible to have a
productive discussion. And you're flipping the onus of proof around
in an incorrect manner: it *is* in the spec, and you have to prove
why it needs to be taken out. Shindig doesn't have to re-propose it
as an extension until after that discussion.
And we do in fact have plenty of data (personally anecdotal, though we
could dig up hard data) about attack vectors due to lack of escaping
prior to Opensocial 0.9.
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups "OpenSocial and Gadgets Specification Discussion" group.
> To post to this group, send email to
opensocial-an...@googlegroups.com
> To unsubscribe from this group, send email to
opensocial-and-gadg...@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/opensocial-and-gadgets-spec?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>