Lane Said:
> In which case, this proposal is effectively:
> "Containers MUST support escaping strings in EL.
> Containers MAY provide a way for developers to
> turn off auto-escape of string content in EL"
> Am I interpreting this correctly?
Yes. In essence, that is this proposal with a degree of explicitness
in how the ability to turn off escaping will function.
To Evan's query: contextual escaping requires the EL language (and
processor) to no longer be independent of the hosting environment.
There are two main reasons we have a philosophical opposition to
contextual escaping:
1. Developers will get arbitrarily varying behavior from an identical
EL statement depending on where in the code it is located.
Ex: A variable "foo" contains text "a css @import url('style.css')
call pulls a file style"
The EL statement ${foo} would evaluate...
(in an HTML block)
a css @import url('style.css') call pulls a file style
(in a CSS block)
a css import url style.css call pulls a file style
(in the href attribute of an a tag)
a css %40import%28%27foo%27%29 call pulls a file style
(in a javascript block)
a css @import url(\'style.css\') call pulls a file style
Problems start to arise when a developer does something like assign
the EL statement to a javascript variable, then set that value to the
href property of link element. The dev would need to write code to
undo the (incorrect for the situation) contextual escaping and redo it
to the proper URL encoding. The end result is the dev will be
fighting with the EL processor to do anything non-trivial or outside
very strict and limited use cases.
2. Contextual escaping requires the EL to have additional information
that exists outside the EL statement - namely the type of DOM node in
which the statement exists, and in some cases even the attribute type
(think @href vs. @class vs. @style vs. @onclick). This means the
script processor is no longer encapsulated in it's behavior or
portable to other situations. The only possible implementation for the
renderer becomes a DOM-node walker, which is inefficient under heavy
load. This forces a less efficient implementation than a raw stream
processor. It would be possible to buffer the stream, rewind at every
EL statement to determine context, then move forward again.
Add on to these two points all the shortcomings of contextual escaping
WRT security (some pointed out in the original proposal
http://wiki.opensocial.org/index.php?title=Auto-escaping_of_strings_in_EL_a_MAY#Reasons).
I am unaware of any other scripting language that exhibits the type of
polymorphic output behavior that the contextual escaping part of the
spec is attempting to require. Going down the list - PHP, VBScript,
Perl, Ruby - they all emit the same output for the same statement,
regardless of where the statement is located. They do provide
explicity escaping for common scenarios and do allow for function
extension, but none of them emit contextual polymorphic output.
Blanket HTML encoding in all situations (which seems to be the true
path Shindig has taken) instead of performing contextual escaping is
slightly better from an implementation standpoint as it doesn't have
the shortcomings of requiring a DOM node walker for everything. The
reality of this path is not so much that the EL escapes everything,
but that the hosting environment of the EL (the Template processor) is
applying escaping to the result of all EL statements. This solution
still suffers from the shortcomings identified in the latter part of
item 1. WRT behavior of EL statements in Javascript that are being
assigned to DOM nodes or to attributes of DOM nodes.
Expecting <os:Html> to be the only way to undo the escaping is not
practical because EL statements may exist within Javascript blocks.
Since we honor the spirit of CDATA directives by not parsing into
them, that tag won't even evaluate. Implementing escape/unescape as
functions (in addition to os:Html) exposes that control to app
developers in a way that doesn't rely on extraneous tags in the
markup.
The point of this proposal is to establish a syntax whereby app
developers can write gadgets and expect consistent behavior across
containers, while still allowing containers to define their own
escaping behavior. The net result if this proposal is accespted is
that:
1. Shindig does not have to make code changes - their current approach
of blanket HTML encoding all EL statements can be left in place.
2. Developers that want portability between MySpace and Shindig-based
containers have a syntax to specify that their app wants the blanket
HTML-encode behavior for cross-compatibility.
3. Shindig can apply the secruity encoding rules that they feel are
appropriate, and MySpace can work with security approaches we feel are
appropriate, without asking each other to compromise their security in
specific ways.
--
clc
> >>
opensocial-and-gadg...@googlegroups.com<
opensocial-and-gadgets-spec%2Bunsu...@googlegroups.com>
> >> .
> >
opensocial-and-gadg...@googlegroups.com<
opensocial-and-gadgets-spec%2Bunsu...@googlegroups.com>
> > .