W3C home > Mailing lists > Public > public-html@w3.org > April 2008

Re: "/>" (was Re: several messages about New Vocabularies in text/html

From: Henri Sivonen <hsivonen@iki.fi>
Date: Wed, 2 Apr 2008 19:23:39 +0300
Cc: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>, Sam Ruby <rubys@us.ibm.com>, Neil Soiffer <Neils@dessci.com>, public-html@w3.org, www-math@w3.org
Message-Id: <5C09E362-1FCC-41DA-A9AE-DCECB7606255@iki.fi>
To: Bruce Miller <bruce.miller@nist.gov>

On Apr 2, 2008, at 19:13, Bruce Miller wrote:
>
> Henri Sivonen wrote:
>> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>>> I'm trying, but I don't get it.
>>> I guess you're saying that with something like:
>>> <script/>
>>>   do_dangerous_stuff();
>>> </script>
>> Gatekeeper applying the rule "/> always closes" would determine  
>> that do_dangerous_stuff(); is not executable but existing browsers  
>> would still run it. Of course, this is the wrong way to write a  
>> gatekeeper. The right way is *never* to pass through original  
>> source but to always run a parser, followed by sanitizer, followed  
>> by serializer. However, we can't expect people who write  
>> gatekeepers to be competent.
>
> Hmm....
> Can </script> put do_dangerous_stuff(); into a (new) <script>
> so that "everybody" agrees it's executable?

Not without creating a gatekeeper problem.

> What do current browsers do with:
> <script/>
>  do_dangerous_stuff();
> <body>....
> ?


The <body> tag becomes part of the script but the script doesn't run,  
because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1  
and Opera 9.5 beta.)

http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E 
...

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Wednesday, 2 April 2008 16:24:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:16:14 GMT