html5/spec scripting-1.html,1.18,1.19 spec.html,1.1220,1.1221

Update of /sources/public/html5/spec
In directory hutz:/tmp/cvs-serv4470

Modified Files:
	scripting-1.html spec.html 
Log Message:
Make policy checks for <script> happen after the flag is set that prevents the script from being run again, so that if somehow an attacker causes a document to be reinserted somewhere that has scripts enabled, the scripts still won't run. (whatwg r5499)

[updated by splitter]


Index: scripting-1.html
===================================================================
RCS file: /sources/public/html5/spec/scripting-1.html,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -d -r1.18 -r1.19
--- scripting-1.html	25 Sep 2010 19:46:38 -0000	1.18
+++ scripting-1.html	25 Sep 2010 20:16:32 -0000	1.19
@@ -492,13 +492,11 @@
   <code><a href="#script">script</a></code> element is to be run, the user agent must act as
   follows:</p>
 
-  <ol><li id="script-processing-noscript">
+  <ol><li>
 
-    <p>If <a href="webappapis.html#concept-n-noscript" title="concept-n-noscript">scripting is
-    disabled</a> for the <code><a href="#script">script</a></code> element, or if the
-    <code><a href="#script">script</a></code> element is marked as having <a href="#already-started">"already
-    started"</a>, then the user agent must abort these steps at
-    this point. The script is not executed.</p>
+    <p>If the <code><a href="#script">script</a></code> element is marked as having
+    <a href="#already-started">"already started"</a>, then the user agent must abort
+    these steps at this point. The script is not executed.</p>
 
    </li>
 
@@ -570,18 +568,6 @@
 
    </li>
 
-   <li id="script-processing-encoding">
-
-    <p>If the <code><a href="#script">script</a></code> element has a <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute, then let
-    <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var> for this
-    <code><a href="#script">script</a></code> element be the encoding given by the <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute.</p>
-
-    <p>Otherwise, let <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var>
-    for this <code><a href="#script">script</a></code> element be the same as <a href="dom.html#document-s-character-encoding" title="document's character encoding">the encoding of the document
-    itself</a>.</p>
-
-   </li>
-
    <li id="script-processing-start">
 
     <p>The user agent must set the element's <a href="#already-started">"already
@@ -596,6 +582,15 @@
 
    </li>
 
+   <li id="script-processing-noscript">
+
+    <p>If <a href="webappapis.html#concept-n-noscript" title="concept-n-noscript">scripting is
+    disabled</a> for the <code><a href="#script">script</a></code> element, then the user
+    agent must abort these steps at this point. The script is not
+    executed.</p>
+
+   </li>
+
    <li id="script-processing-for">
 
     <p>If the <code><a href="#script">script</a></code> element has an <code title="attr-script-event"><a href="obsolete.html#attr-script-event">event</a></code> attribute and a <code title="attr-script-for"><a href="obsolete.html#attr-script-for">for</a></code> attribute, then run these
@@ -628,6 +623,18 @@
 
    </li>
 
+   <li id="script-processing-encoding">
+
+    <p>If the <code><a href="#script">script</a></code> element has a <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute, then let
+    <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var> for this
+    <code><a href="#script">script</a></code> element be the encoding given by the <code title="attr-script-charset"><a href="#attr-script-charset">charset</a></code> attribute.</p>
+
+    <p>Otherwise, let <var><a href="#the-script-block-s-character-encoding">the script block's character encoding</a></var>
+    for this <code><a href="#script">script</a></code> element be the same as <a href="dom.html#document-s-character-encoding" title="document's character encoding">the encoding of the document
+    itself</a>.</p>
+
+   </li>
+
    <li id="script-processing-src-prepare">
 
     <p>If the element has a <code title="attr-script-src"><a href="#attr-script-src">src</a></code>

Index: spec.html
===================================================================
RCS file: /sources/public/html5/spec/spec.html,v
retrieving revision 1.1220
retrieving revision 1.1221
diff -u -d -r1.1220 -r1.1221
--- spec.html	25 Sep 2010 19:46:38 -0000	1.1220
+++ spec.html	25 Sep 2010 20:16:32 -0000	1.1221
@@ -338,7 +338,7 @@
     <a href="Overview.html">single page HTML</a>,
     <a href="spec.html">multipage HTML</a>,
     <a href="author/">web developer edition</a>.
-This is revision 1.4389.
+This is revision 1.4390.
    </p> 
      <p class="copyright"><a href="http://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a>
    &#169; 2010 <a href="http://www.w3.org/"><abbr title="World Wide

Received on Saturday, 25 September 2010 20:16:36 UTC