(justinfagnani.com)

69 points jdkoeck | 2 comments | 01 Jul 25 17:40 UTC | HN request time: 0s | source

1. dvh ◴[01 Jul 25 19:55 UTC] No.44437459[source]▶

It should be secure by default, no more .innerHTML = user_name and gluing strings together like with SQL in the '90s

2. jfagnani ◴[01 Jul 25 20:13 UTC] No.44437616[source]▶

This API is definitely secure by default, and that's one of the constraints and requirements I mention in the post.

The API is secure because it separates static developer controlled strings from dynamic and possibly user-controlled values by JavaScript syntax. Values from text bindings are written to the DOM by setting TextNode.data, which escapes the value first.

↑

What should a native DOM templating API look like?