[whatwg] Should scripts and plugins in contenteditable content be enabled or disabled?

On Fri, 23 Apr 2010 01:28:47 +0200, Robert O'Callahan  
<robert at ocallahan.org> wrote:

> See https://bugzilla.mozilla.org/show_bug.cgi?id=519928
>
> Suppose we have a <script> element inside a contenteditable parent.  
> Should
> the script run? What about on* attribute event handlers, should they  
> fire in
> response to events? What about <object> plugins inside a contenteditable
> parent, should they be instantiated?
>
> In Webkit, scripts, event handlers and plugins run normally. IE disables
> them. Gecko disables them when designmode is used but enables them for
> contenteditable. In
> https://bugzilla.mozilla.org/show_bug.cgi?id=519928#c46a CKEditor
> developer argues forcefully that we should disable them.
>
> If we do choose to disable them, exactly how this should be specced is  
> not
> completely clear to me.
>
> There is a side issue of how editable <iframe>s should be treated.
> Presumably we should load the subdocument, but if we disabled scripts for
> editable content, should we allow scripts to run inside the <iframe>
> document? Probably yes to allow framebusting to run. Perhaps we should
> prevent user events from being delivered to the <iframe> document though?

I think scripts, event handlers and plugins should run normally in  
contenteditable. Opera have tried hard to reverse engineer and implement  
the script disabling behavior for designMode in IE and Mozilla, but really  
I think it would be saner if we let scripts, event handlers and plugins  
run normally in designMode as well.

http://lists.w3.org/Archives/Public/public-html/2007Nov/0218.html
http://lists.w3.org/Archives/Public/public-html/2008Mar/0038.html

(We might have changed behavior again slightly for compat with some sites,  
I don't recall the details.)

It seems Hixie has decided to go back to the WebKit behavior in the spec  
for designMode.

http://html5.org/tools/web-apps-tracker?from=2817&to=2818

-- 
Simon Pieters
Opera Software

Received on Thursday, 22 April 2010 23:52:29 UTC