r207392 - libclang: split out the documentation comment API
Dmitri Gribenko
gribozavr at gmail.com
Mon Apr 28 00:41:46 PDT 2014
On Mon, Apr 28, 2014 at 8:31 AM, Alp Toker <alp at nuanti.com> wrote:
>
> On 28/04/2014 08:16, Alp Toker wrote:
>>
>> When the implementation starts to add HTML5 rules and JavaScript
>> validators in libclang(!) while the basic one-liner comment parsing isn't
>> yet dogfoodable due to performance issues it's worth taking a step back.
>> Seriously, let's fix this.
>
>
> On this point, I feel strongly that any HTML sanitizing facilities or
> cross-site scripting checks should be removed from the repository. Instead
> document the fact that HTML output isn't trusted and must be sanitized
> before being sent to the user's browser.
This is a non-starter. Then, basically, no client can use the parsed
HTML without re-constructing the AST and re-doing semantic analysis.
> As you said in your own commit log, "going over all of the HTML5 spec
> requires a
> significant amount of time" and what's in-tree is incomplete and
> insecure -- so why attempt to do it in the compiler when every web framework
> in existence already has a quality implementation?
The fact that I don't have time to go through all of HTML5 now is a
separate issue.
Do all web frameworks have HTML validation sanitizing facilities? I
doubt so. (Also, "web framework" needs a definition...) But, not all
clients of libclang are using a web framework. Some are not even
websites at all.
Dmitri
--
main(i,j){for(i=2;;i++){for(j=2;j<i;j++){if(!(i%j)){j=0;break;}}if
(j){printf("%d\n",i);}}} /*Dmitri Gribenko <gribozavr at gmail.com>*/
More information about the cfe-commits
mailing list