- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 17 Feb 2016 12:39:26 +0100
- To: Mike West <mkwst@google.com>
- Cc: Artur Janc <aaj@google.com>, Conrad Irwin <conrad.irwin@gmail.com>, Martin Thomson <martin.thomson@gmail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Lukas Weichselbaum <lwe@google.com>, Michele Spagnuolo <mikispag@google.com>, Devdatta Akhawe <dev.akhawe@gmail.com>, Domenic Denicola <d@domenic.me>
On Wed, Feb 17, 2016 at 11:52 AM, Mike West <mkwst@google.com> wrote: > I haven't checked that in Chrome, so it's entirely possible that I'm wrong > (or our implementation is wrong! :) ), but I'm fairly certain that's how it > works. +annevk, who will certainly have opinions. I know innerHTML should not result in scripts running (and the way innerHTML is defined is as parsing into a DocumentFragment that is then appended), but following the "prepare a script" steps it seems it would execute per the specification. But I might be missing something. Domenic, do you know what I'm missing? -- https://annevankesteren.nl/
Received on Wednesday, 17 February 2016 11:39:54 UTC