On 13 Jun 2014, at 18:15, Domenic Denicola <dome...@domenicdenicola.com> wrote:
> IMO it would be a good universe where `<module>` had the following things > `<script>` has: > > - Does not require escaping < > & ' " in any contexts. > - Terminates when seeing `</module` + extra chars. (Possibly we could do this > only when it would otherwise be a parsing error, to avoid `"</mod" + "ule>"` > grossness? But that would require some intertwingling of the HTML and ES > parsers, which I can imagine implementers disliking.) > > But it removes the following things `<script>` has: > > - `<!--` escaped data mode and double-escaped mode > - \r, \r\n, \0 special-casing > - The two new single-line comment forms (maybe; I know these work in Node > though, so maybe just leave them in as part of the ES6 spec). The majority of those are impossible without introducing different parse trees in old browsers (that do not recognize `<module>`) versus in new browsers. Different parse trees are a security risk. _______________________________________________ es-discuss mailing list es-discuss@mozilla.org https://mail.mozilla.org/listinfo/es-discuss