RE: Running "Zombie" Script Elements from Travis Leithead on 2009-05-23 (public-html@w3.org from May 2009)

From: Travis Leithead <Travis.Leithead@microsoft.com>
Date: Sat, 23 May 2009 08:15:09 -0700
To: Ian Hickson <ian@hixie.ch>
CC: "'public-html@w3.org'" <public-html@w3.org>, Harley Rosnow <Harley.Rosnow@microsoft.com>, Kirk Sykora <ksykora@microsoft.com>
Message-ID: <0003CB8B8FE2154EB50431DB2B8F69C02145C8306F@NA-EXMSG-W601.wingroup.windeploy.ntd>

Thanks.

-Travis

-----Original Message-----
From: Ian Hickson [mailto:ian@hixie.ch] 
Sent: Friday, May 22, 2009 11:37 PM
To: Travis Leithead
Cc: 'public-html@w3.org'; Harley Rosnow; Kirk Sykora
Subject: Re: Running "Zombie" Script Elements

On Fri, 22 May 2009, Travis Leithead wrote:
> 
> Here’s a quick markup and script sample:
> 
> <body>
>  <div>
>   <span>
>    <script> 
>     var d = document.querySelector(“body > div”); 
>     d.parentNode.removeChild(d); 
>    </script>
>    <code>
>     <script> 
>      alert(“a running zombie script?”); 
>     </script>
>    </code>
>   </span>
>  </div>
> </body>

The second script gets executed by the "Run the script." sentence in
9.2.5.11 The "in CDATA/RCDATA" insertion mode, under "An end tag whose tag name is "script"".

Basically when a <script> element is handled by the parser, it gets parsed regardless of what the DOM looks like.


> I think the answer is "no" because, according to 4.3.1 " When a script 
> element that is neither marked as having "already executed" nor marked 
> as being "parser-inserted" experiences one of the events listed in the 
> following list, the user agent must run the script element:
> 
>     * The script element gets inserted into a document.
>     * The script element's child nodes are changed.
>     * The script element has a src attribute set where
>       previously the element had no such attribute."

These rules don't apply because the element in question is marked as 
parser-inserted by step 2 in the rules for the "A start tag whose tag name 
is "script"" case in 9.2.5.7 The "in head" insertion mode, which happens 
for any "script" start tag token in the parser.

(The three bullet points above _would_ apply if a script did an 
appendChild() of a dynamically created element into the <div>, since then 
the <div> not being in a document would mean the <script> was never 
inserted into the document and thus the script wouldn't run.)

HTH,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Saturday, 23 May 2009 15:15:47 UTC