Use <script type="text/template">, <script type="text/tcl"> or <template> for client side HTML templates?

Question

I know, there is a similar question available - however, this was 3 years ago, and the comment about text/tcl didn't seem to catch up in the discussion.

---

Do you know which version is to prefer when implementing client side templates:

<script type="text/template"> or <script type="text/tcl"> or even <template>?

• I heard that some security software may filter out certain <script> tags which do not match a common standard, so text/template could probably be filtered out by some proxy or antivirus software due to security reasons?
• Is there any disadvantage in using text/tcl?
• Is it save to use <template> when creating the element first with document.createElement("template") for older browsers (IE)?

Thank you very much for your help in advance.

Answer 1

1. I've not heard of security software attacking specific types of <script>; all my experience has been with "security" software that mangled any <script> they saw. Some research doesn't turn anything further up, but they may have targeted things like VBScript during the bad old IE6-COM exploit days.

2. text/tcl means the Tcl language, an old W3C choice for a web scripting language that wasn't JavaScript. (There is a long story behind this which explains things like why the DOM is so terrible.)

   Work was done on implementing it, but I cannot find any browser that accomplished this. There is a Tcl browser plugin, but its demos use application/x-tcl, so probably nothing will happen even for that one guy running a decade-old browser with inadvisable plugin choices.

   The only effect other than the browser ignoring it I do know is that old Internet Explorer does a registry lookup for handlers of unknown type values on <script>. (This came up during HTML5's new <script type="module">, but I can't dig up the right mailing list/GitHub issue/chat log/wherever the WHATWG discovered that.) They decided it was ignorable (with the Edge team's blessing).

3. It's relatively safe, but beware that markup inside the shivved <template> will still execute; src attributes will load (even if they're empty), <script>s will run, <style>s will style, etc.