- From: Shadow2531 <shadow2531@gmail.com>
- Date: Thu, 11 May 2006 05:56:27 -0400
On 5/11/06, Lachlan Hunt <lachlan.hunt at lachy.id.au> wrote:
> Shadow2531 wrote:
> > <object type="text/html" data="about:blank">
> > <script>alert('You should not see this!');</script>
> > </object>
> >
> > What should happen in situations like that?
> >
> > The script element is alternate content.
> > The object is rendered.
> > The script SHOULD NOT be executed *until* the alernate content is
> > rendered.
>
> If scripts inside <object> aren't executed, then consider what should
> happen with this:
>
> <script>
> document.write("<object type=\"text/html\" data=\"test\">");
> </script>
> <p>alternate content for when both scripts and the object isn't
> supported</p>
> <script>
> document.write("<\/object>");
> </script>
>
> Because of the way document.write() works by writing data back into the
> stream, the question is: if scripts inside objects are not executed, is
> the second script considered part of the alternate content and thus not
> executed?
> Lachlan Hunt
> http://lachy.id.au/
>
Ouch. I see your point.
That problem could be avoided by authors making sure each
document.write() wrote complete element markup instead of splitting it
up like in your example. However, your example is far too common and
unless I'm missing something, not executing scripts in object tags
would break lots of things. Ouch.
While we're at it though, can you think of other reasons?
Thanks
--
burnout426
Received on Thursday, 11 May 2006 02:56:27 UTC