- From: <bugzilla@jessica.w3.org>
- Date: Sun, 02 Jun 2013 12:57:23 +0000
- To: public-html-bugzilla@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=22233 Bug ID: 22233 Summary: [HTML]: I can't find the rules which specify real-world parsing of <body><script>& Classification: Unclassified Product: HTML WG Version: unspecified Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: HTML5 spec Assignee: dave.null@w3.org Reporter: alan.christopher.jenkins@googlemail.com QA Contact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-admin@w3.org, public-html-wg-issue-tracking@w3.org AFAICS the tokenizer is only switched to "script data state" from the "in head" insertion mode. However real-world browsers also switch to "script data state" from <script> inside <body>. E.g. Firefox 21.0 with this test page: <!doctype html> <body><!-- behaviour is identical if <body> is removed --> <script>alert('&')</script> The result is "&". But AFAICS the spec implies this (non-conforming) page should result in "&". (Which violates the principle of least surprise, at least). My understanding was that this was the real-world behaviour on all major browsers. And if the spec is in variation then no major browser is conforming, which is an obstacle to standardization. Am I right about the behaviour specified by HTML5? And major browsers other than Firefox? If so, does the spec need to be changed? This thought was provoked after looking at how <svg><script> works in HTML syntax. http://security.stackexchange.com/questions/36701/why-does-this-xss-vector-work-in-svg-but-not-in-html I recently came across this particular tag soup in ci-Bonfire. Example page http://eposure.com/ -- You are receiving this mail because: You are the QA Contact for the bug.
Received on Sunday, 2 June 2013 12:57:25 UTC