[w3c/DOM-Parsing] Proposal on how to deal with <script>-blocks when appending to the DOM (Issue #76) from lukas on 2023-11-26 (public-webapps-github@w3.org from November 2023)

From: lukas <notifications@github.com>
Date: Sun, 26 Nov 2023 04:44:49 -0800
To: w3c/DOM-Parsing <DOM-Parsing@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/DOM-Parsing/issues/76@github.com>

I hope my post is in the right place, if not I would like to apologise.

## The problem

I have a suggestion about DOM parsing which requires a specification change or extension.
The problem has already been mentioned here in two issues, one [Issue 6](https://github.com/w3c/DOM-Parsing/issues/6) and the other [Issue 19](https://github.com/w3c/DOM-Parsing/issues/19).
In short, in both cases the question arises as to how script blocks should be handled when they are appended to the DOM. My proposal also relates primarily to script blocks.
[W3c Spec innerHTML](https://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0) under this link it is described that script blocks appended with .innerHTML are not executed. However, there may be cases in which it makes sense to execute the scripts.

## Proposed solution

By assigning a value to .innerHTML, executing the script blocks would probably be too great a security risk.

However, an additional parameter could be added to the [insertAdjacentHTML](https://w3c.github.io/DOM-Parsing/#dom-element-insertadjacenthtml) method with which the scripts can be executed.

For example:
```js
.insertAdjacentHTML(position, text, script_exec)
```

## Implementation idea

```js
...
function insertAdjacentHTML(position, text, script_exec = false) {
...
```

By default, script_exec is false so that nothing changes for the caller of the function. (i.e. even existing ones continue to work without a negative effect)

For example:
```js
...
.insertAdjacentHTML("beforebegin" , htmlstr)
...
```

However, if the caller now not only wants to add the <script>-blocks but also execute them, he must explicitly set the parameter to true.

For example:
```js
...
.insertAdjacentHTML("beforebegin", htmlstr, true)
...
```

If my idea is in the wrong place here, I would like to apologise again and ask where I could best post it.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/DOM-Parsing/issues/76
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/DOM-Parsing/issues/76@github.com>

Received on Sunday, 26 November 2023 12:44:56 UTC