Re: "/>" (was Re: several messages about New Vocabularies in text/html

On Apr 2, 2008, at 19:13, Bruce Miller wrote:
> Henri Sivonen wrote:
>> On Apr 2, 2008, at 18:58, Bruce Miller wrote:
>>> I'm trying, but I don't get it.
>>> I guess you're saying that with something like:
>>> <script/>
>>>   do_dangerous_stuff();
>>> </script>
>> Gatekeeper applying the rule "/> always closes" would determine  
>> that do_dangerous_stuff(); is not executable but existing browsers  
>> would still run it. Of course, this is the wrong way to write a  
>> gatekeeper. The right way is *never* to pass through original  
>> source but to always run a parser, followed by sanitizer, followed  
>> by serializer. However, we can't expect people who write  
>> gatekeepers to be competent.
> Hmm....
> Can </script> put do_dangerous_stuff(); into a (new) <script>
> so that "everybody" agrees it's executable?

Not without creating a gatekeeper problem.

> What do current browsers do with:
> <script/>
>  do_dangerous_stuff();
> <body>....
> ?

The <body> tag becomes part of the script but the script doesn't run,  
because EOF is hit before a </script>. (Tried Firefox 3b4, Safari 3.1  
and Opera 9.5 beta.)!DOCTYPE%20html%3E%0A%3Cscript%2F%3E%0A%20w(%22Dangerous%22)%3B%0A%3Cbody%3E 

Henri Sivonen

Received on Wednesday, 2 April 2008 16:24:46 UTC