Re: Running "Zombie" Script Elements

On Sat, 23 May 2009, Jonas Sicking wrote:
> On Fri, May 22, 2009 at 11:36 PM, Ian Hickson <ian@hixie.ch> wrote:
> > On Fri, 22 May 2009, Travis Leithead wrote:
> >>
> >> <body>
> >>  <div>
> >>   <span>
> >>    <script>
> >>     var d = document.querySelector(“body > div”);
> >>     d.parentNode.removeChild(d);
> >>    </script>
> >>    <code>
> >>     <script>
> >>      alert(“a running zombie script?”);
> >>     </script>
> >>    </code>
> >>   </span>
> >>  </div>
> >> </body>
> >
> > The second script gets executed by the "Run the script." sentence in 
> > 9.2.5.11 The "in CDATA/RCDATA" insertion mode, under "An end tag whose 
> > tag name is "script"".
> >
> > Basically when a <script> element is handled by the parser, it gets 
> > parsed regardless of what the DOM looks like.
> 
> Is there a reason for things to be designed this way?

It's done this way because when this element is inserted into the DOM, 
it's empty, so we can't execute it yet. So it has to be special-cased -- 
either by making the element not be inserted into the document until the 
end tag is seen or implied, or by making the script handling be a special 
case. It turns out that far a variety of reasons, the latter is 
significantly easier and helps with other things as well (such as 
defining exactly how document.write() interacts with the parser, which 
requires a special case here anyway).

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 11 June 2009 19:04:20 UTC