←back to thread

What should a native DOM templating API look like?

(justinfagnani.com)
69 points jdkoeck | 1 comments | 01 Jul 25 17:40 UTC | HN request time: 0.206s | source
Show context
dvh ◴[01 Jul 25 19:55 UTC] No.44437459[source]
It should be secure by default, no more .innerHTML = user_name and gluing strings together like with SQL in the '90s
replies(1): >>44437616 #
1. jfagnani ◴[01 Jul 25 20:13 UTC] No.44437616[source]
This API is definitely secure by default, and that's one of the constraints and requirements I mention in the post.

The API is secure because it separates static developer controlled strings from dynamic and possibly user-controlled values by JavaScript syntax. Values from text bindings are written to the DOM by setting TextNode.data, which escapes the value first.