- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Sat, 25 Sep 2010 19:59:40 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv3472
Modified Files:
Overview.html
Log Message:
Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run. (whatwg r5499)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/spec/Overview.html,v
retrieving revision 1.4389
retrieving revision 1.4390
diff -u -d -r1.4389 -r1.4390
--- Overview.html 25 Sep 2010 19:36:20 -0000 1.4389
+++ Overview.html 25 Sep 2010 19:59:36 -0000 1.4390
@@ -12351,13 +12351,11 @@
<code><a href="#script">script</a></code> element is to be run, the user agent must act as
follows:</p>
- <ol><li id="script-processing-noscript">
+ <ol><li>
- <p>If <a href="#concept-n-noscript" title="concept-n-noscript">scripting is
- disabled</a> for the <code><a href="#script">script</a></code> element, or if the
- <code><a href="#script">script</a></code> element is marked as having <a href="#already-started">"already
- started"</a>, then the user agent must abort these steps at
- this point. The script is not executed.</p>
+ <p>If the <code><a href="#script">script</a></code> element is marked as having
+ <a href="#already-started">"already started"</a>, then the user agent must abort
+ these steps at this point. The script is not executed.</p>
</li>
@@ -12429,18 +12427,6 @@
</li>
- <li id="script-processing-encoding">
-
- <p>If the <code><a href="#script">script</a></code> element has a <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute, then let
- <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var> for this
- <code><a href="#script">script</a></code> element be the encoding given by the <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute.</p>
-
- <p>Otherwise, let <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var>
- for this <code><a href="#script">script</a></code> element be the same as <a href="#document-s-character-encoding" title="document's character encoding">the encoding of the document
- itself</a>.</p>
-
- </li>
-
<li id="script-processing-start">
<p>The user agent must set the element's <a href="#already-started">"already
@@ -12455,6 +12441,15 @@
</li>
+ <li id="script-processing-noscript">
+
+ <p>If <a href="#concept-n-noscript" title="concept-n-noscript">scripting is
+ disabled</a> for the <code><a href="#script">script</a></code> element, then the user
+ agent must abort these steps at this point. The script is not
+ executed.</p>
+
+ </li>
+
<li id="script-processing-for">
<p>If the <code><a href="#script">script</a></code> element has an <code title="attr-script-event"><a href="#attr-script-event">event</a></code> attribute and a <code title="attr-script-for"><a href="#attr-script-for">for</a></code> attribute, then run these
@@ -12487,6 +12482,18 @@
</li>
+ <li id="script-processing-encoding">
+
+ <p>If the <code><a href="#script">script</a></code> element has a <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute, then let
+ <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var> for this
+ <code><a href="#script">script</a></code> element be the encoding given by the <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute.</p>
+
+ <p>Otherwise, let <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var>
+ for this <code><a href="#script">script</a></code> element be the same as <a href="#document-s-character-encoding" title="document's character encoding">the encoding of the document
+ itself</a>.</p>
+
+ </li>
+
<li id="script-processing-src-prepare">
<p>If the element has a <code title="attr-script-src"><a href="#attr-script-src">src</a></code>
Received on Saturday, 25 September 2010 19:59:41 UTC