W3C home > Mailing lists > Public > www-svg@w3.org > January 2014

script tags fire in a switch element

From: Miles Elam <mcelam@google.com>
Date: Thu, 16 Jan 2014 16:01:40 -0800
Message-ID: <CAGYSi7E8b1i2TeF2_W0v15xzNTgFCjZPG-+-0dNkQspb06FJdw@mail.gmail.com>
To: www-svg@w3.org
Example URL:
http://jsbin.com/ABOzeDAR/2

Alert box shown even though the script tag should be in a deactivated
portion of the switch element.

I was exploring this as a way of getting IE SMIL support to work by
enabling the FakeSmile (SMIL polyfill) script only when the
declarative animation feature is missing, i.e., 'switch' with
requiredFeatures="http://www.w3.org/TR/SVG11/feature#Animation".
Unfortunately, Chrome, FireFox, and Safari all execute the script
regardless of placement whereas purely visual elements work as
expected when placed in the switch.

I found this unintuitive. As a Mozilla contributor noted, "‘script’
should actually only be valid if it is a child of ‘a’, ‘defs’,
‘glyph’, ‘g’, ‘marker’, ‘missing-glyph’, ‘pattern’, ‘svg’, and
‘symbol'. By the letter of the svg specification therefore it should
be ignored even if it is the active child of a switch (unless you made
the script the child of a valid container like an svg or g element)."

So I may have been in error in trying the script tag in the switch
element, but given that it's invalid either way, I find it troubling
that a script gets executed regardless of context.

The spec would do well to have the behavior codified. Also, is there
any proposal for incorporating such polyfills without scripting? I
though I had found one with the switch element, but obviously not in
practice.

One of my goals was to have an easily validated SVG model that was
purely declarative, meaning in this case SVG + SMIL. Once event
handlers, script tags, and executable data URIs enter in the picture,
the potential exploit surface becomes vastly larger. The introduction
of the SMIL polyfill was only meant to be limited pragmatism toward
Microsoft's...shall we say independence.

I'd like to use declarative feature detection, but as it stands I'm
stuck with adding the script everywhere or doing server side
modification by user agent sniffing, i.e., non-optimal, and there is
no guidance here with regard to a spec that I can refer to during bug
reports.


Cheers,

Miles Elam
Received on Friday, 17 January 2014 10:39:04 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 8 March 2017 09:47:35 UTC