Re: Running "Zombie" Script Elements

On Fri, 22 May 2009, Travis Leithead wrote:
> 
> Here’s a quick markup and script sample:
> 
> <body>
>  <div>
>   <span>
>    <script> 
>     var d = document.querySelector(“body > div”); 
>     d.parentNode.removeChild(d); 
>    </script>
>    <code>
>     <script> 
>      alert(“a running zombie script?”); 
>     </script>
>    </code>
>   </span>
>  </div>
> </body>

The second script gets executed by the "Run the script." sentence in 
9.2.5.11 The "in CDATA/RCDATA" insertion mode, under "An end tag whose tag 
name is "script"".

Basically when a <script> element is handled by the parser, it gets parsed 
regardless of what the DOM looks like.


> I think the answer is "no" because, according to 4.3.1 " When a script 
> element that is neither marked as having "already executed" nor marked 
> as being "parser-inserted" experiences one of the events listed in the 
> following list, the user agent must run the script element:
> 
>     * The script element gets inserted into a document.
>     * The script element's child nodes are changed.
>     * The script element has a src attribute set where
>       previously the element had no such attribute."

These rules don't apply because the element in question is marked as 
parser-inserted by step 2 in the rules for the "A start tag whose tag name 
is "script"" case in 9.2.5.7 The "in head" insertion mode, which happens 
for any "script" start tag token in the parser.

(The three bullet points above _would_ apply if a script did an 
appendChild() of a dynamically created element into the <div>, since then 
the <div> not being in a document would mean the <script> was never 
inserted into the document and thus the script wouldn't run.)

HTH,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 23 May 2009 06:37:30 UTC