Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Unless your framework bridges the backend and frontend you're not going to just magically get rid of XSS vectors.

Also regardless of what framework you are using you still have access to location.href, e.innerHTML, etc. I'm not really sure what you're trying to convey here but it's lost on me because, framework or not, all of these things still exist. Hell angular simply wraps location as do some other frameworks.



I thought his point was clear. A framework provides all those things, free of charge. Instead of using location.href or e.innerHTML you're invited to use framework.html(), etc. It's possible you would take care of escaping output on your own, but the point he was trying to convey is that you are likely to take shortcuts and not do all those things.


framework.html() would presumably have the same problems as e.innerHTML (as you're probably aware). The examples that come to mind are replacing something like...

  e.innerHTML = "<td class=\"" + type + ">" + value + "</td>"
with:

  d3.select(e).append("td").attr("class", type).text(value)
or:

  $(e).append("<td></td>").addClass(type).text(value)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: