- From: Simon Pieters <simonp@opera.com>
- Date: Wed, 11 Mar 2009 16:17:12 +0100
- To: public-html <public-html@w3.org>
Consider the following document: <body onload="alert(1) Should the script run? Per HTML5 yes, and it does in Gecko. But we go out of our way to make sure that <script>alert(1) doesn't run. Why should the first case be different? WebKit seems to drop the element on the floor in case of early EOF. IE and Opera do some reparsing, which is not good because attribute values can suddenly turn into script elements if you get an early EOF: <body title="<script>alert(1)</script> Also consider e.g. <iframe src="untrusted" sandbox=""> and you get an EOF before the sandbox attribute. It seems safer to drop the element on the floor when EOF is found inside a tag. -- Simon Pieters Opera Software
Received on Wednesday, 11 March 2009 15:17:56 UTC