5 June 2014 TC39 Meeting Notes
Mathias Bynens
mathiasb at opera.com
Sat Jun 14 04:07:10 PDT 2014
On 13 Jun 2014, at 18:15, Domenic Denicola <domenic at domenicdenicola.com> wrote:
> IMO it would be a good universe where `<module>` had the following things `<script>` has:
>
> - Does not require escaping < > & ' " in any contexts.
> - Terminates when seeing `</module` + extra chars. (Possibly we could do this only when it would otherwise be a parsing error, to avoid `"</mod" + "ule>"` grossness? But that would require some intertwingling of the HTML and ES parsers, which I can imagine implementers disliking.)
>
> But it removes the following things `<script>` has:
>
> - `<!--` escaped data mode and double-escaped mode
> - \r, \r\n, \0 special-casing
> - The two new single-line comment forms (maybe; I know these work in Node though, so maybe just leave them in as part of the ES6 spec).
The majority of those are impossible without introducing different parse trees in old browsers (that do not recognize `<module>`) versus in new browsers. Different parse trees are a security risk.
More information about the es-discuss
mailing list