You are right that a functional construct such as your domplate does enable you to more easily identify potentially hazardous HTML. If properly designed, any input validation can be controlled from a single entry point.

However, the decision about what kind of input validation to perform is still left up to the individual code segments that use domplate constructors. I would suggest that all your string constructs call the escapeHTML function automatically, instead of having to specify it manually in each instance.

I did not get to read your comment until after I had written my follow up post, so my apologies if it causes you any concern.

One motivation for the functional DOM construction was indeed security - it’s far easier to identify code where I’m inserting potentially hazardous HTML this way. Firebug 0.4 used DOM methods which resulted in a lot more code to scan.

The exploit doesn’t indict the domplates system as much as it indicts me for forgetting to escape one string.

I’m not sure how you draw the conclusion that domplates are responsible for a large portion of the 700k weight of Firebug. domplates.js is only 25k, and while uses of domplates are many in Firebug, those applications would consume many more lines of code using DOM methods instead.

domplates are also much faster than DOM methods because they compile down to strings, reducing potentially hundreds of DOM method calls to a single innerHTML call.