Editor’s Draf, 10 January 2025 - Trusted Types (Was: Space Junk might fall on your head [Scryer Prolog WASM])

Hi,
So there is something in the making concerning
DOM Streaming, respectively HTML Writers, what Mozilla
calls: Trusted HTML Sinks. It this document:
Editor’s Draf, 10 January 2025 - Trusted Types
https://w3c.github.io/trusted-types/dist/spec/
Nowadays one is practically forced to abandon document.write().
There are two behaviours. For example executing this on
an a website via the JavaScript developer console:
let result = '<script> alert("XSS"); </script>';
document.write(`<p>Sudoku solver returns:</p><pre>${result}</pre>`);
Gives a nice little XSS action:
<Alert Dialog Shown>
Then if I try the same on the Google search page I get:
VM305:1 This document requires 'TrustedHTML' assignment.
(anonymous) @ VM305:1
VM305:1 Uncaught TypeError: Failed to execute 'write' on 'Document': This document requires 'TrustedHTML' assignment.
     at <anonymous>:1:10
(anonymous) @ VM305:1
Bye
Mild Shock schrieb:

Hi,
 During my quick brainstorming on SWI-Prolog
discourse concerning my library(markup) I worte:
  > Disclaimer: I didn’t look into Trealla, Scryer
 > or Ciao, what they support in this respect.
 > I only had a look at SWISH and their concept of
 > answer substitutions filters. I find this too
 > restrictive, already the library(turtle) cannot
 > be done in this setting.
 So my subc-consciousness told me there is nothing
useful to expect from Trealla, Scryer or Ciao.
Since they are total web virgins, probably never
 seen a DOM API and/or never generated production
webpages. For example this could be abused, not
something that should be promoted:
 document.write(`<p>Sudoku solver returns:</p><pre>${result}</pre>`);
 https://github.com/mthom/scryer-prolog?tab=readme-ov-file#building-webassembly   Not only is the document.write() method deprecated.
The document.write() method directly injects HTML
into the page. This leads to XSS vulnerability:
  > During the second half of 2007, XSSed documented
11,253 site-specific cross-site vulnerabilities,
compared to 2,134 "traditional" vulnerabilities
documented by Symantec. XSS effects vary in range from
petty nuisance to significant security risk, depending
on the sensitivity of the data handled by the vulnerable
site and the nature of any security mitigation
implemented by the site's owner network.
https://en.wikipedia.org/wiki/Cross-site_scripting
 Bye
 Mild Shock schrieb:

Hi,
>
But a "HTML Writer" as a statemachine shouldn't be a problem
in the Prolog world. If you have a concept of engine,
you can write a the HTMLParser as an ordinary parser,
>
which yields to get its input:
>
The HTMLParser service:
>
/* some ordinary code that reads a stream
and writes a stream, only the stream is
read via the engine interface */
>
parser_get_code(X) :-
    engine_fetch(X).
>
The HTMLParser client:
>
/* Basically the HTMLParser is used inverted.
   Just like in ordinary document.write() from
   the JavaScript world, one uses the parser as sink (sic!) */
>
parser_put_code(ParserEngine, X) :-
    engine_post(ParserEngine, X).
>
But from the above once can also develop statemachine,
and eliminate the "engine", by modelling what happens
between subsequent engine_fetch inside the ParserEngine,
>
and have an inverted parser which doesn't need "engin",
is pure Prolog code. An impurity can be the state changes,
but you can delegate it to the DOM.
>
But for streams you have always state changes, thats
what streams do, they change the sink.
>
Bye
>
Mild Shock schrieb:

Hi,
>
Streamable DOM in the form of a "HTML writer",
can be a real miracle. SWI, Ciao, etc.. none
of the Prolog systems have a "HTML writer",
>
it seems the prospect of a HTMLParser inside such
"HTML writer", and that it is a state machine
confuses the world view of many people. But
>
the idea was already pursued by Tau Prolog.
Just take an element:
>
 > <div id="writeme"></div>
>
And then literally you only have to open it:
>
 > :- use_module(library(dom)).
 >
 >output :-
 >    get_by_id(writeme, WriteMe),
 >    open(WriteMe, write, Stream),
 >    write(Stream, hello),
 >    write(Stream, world).
>
But it didn't have much adoption, rather cause more
problems than solved any:
>
 > How getting all the sandbox output into html?
 > joseph-vidal-rosset opened on Aug 2, 2022
 > https://github.com/tau-prolog/tau-prolog/issues/326
>
I do not blame the Philosopher trying to be a
Prolog programmer. It had not much utility since
write/1 now accepted and inserted HTML.
>
Bye
>
Mild Shock schrieb:

Hi,
>
The development of Novacore takes interesting turns.
Originally more accidentially, because I observed it
can serve a few interesting use cases, like atomic
>
logging with some unspoken or spoken gurantees,
I introduced put_atom/[1,2] in Novacore streams:
>
 > put_atom(S, A):
 > The built-in succeeds. As a side effect, it adds
 > the atom to the stream S.
>
Now because I am revising my streamable DOMs, the
"HTML writer" part, I even went so far as to
bootstrap put_code/[1,2] from it:
>
 > put_code(Stream, Code) :-
 >    char_code(Atom, Code),
 >    put_atom(Stream, Atom).
>
One can eliminate each put_code/[1,2] call such
as put_code(S, 0'\n) by a put_atom/[1,2] call
such as put_atom(S, '\n'). The performance is the
>
same, in my case can be slighly better since under
the hood put_code and put_atom called the same
stream meachnism.
>
But the main reason I eliminate put_code was
to have a single point. Because the Prolog
write_term/1 is 100% written in Prolog, in the
>
end it only only uses put_atom.
>
Bye

>

>