[whatwg] Fallback behavior from Simon Pieters on 2008-08-22 (public-whatwg-archive@w3.org from August 2008)

From: Simon Pieters <simonp@opera.com>
Date: Fri, 22 Aug 2008 02:11:06 +0200
Message-ID: <op.uf9hgsabidj3kv@hp-a0a83fcd39d2.belkin>

On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote:

> Here is the list of elements that we *don't* execute scripts inside of  
> in firefox:
>
> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148
>
> i.e. <iframe>, <noframes>, <noembed>
>
> Everywhere else we do execute the script.
>
> The reason these elements ended up at the list is in bugs
> https://bugzilla.mozilla.org/show_bug.cgi?id=5847
> https://bugzilla.mozilla.org/show_bug.cgi?id=26669

iframe, noframes and noembed are parsed as CDATA elements

    http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E

so there can't be any script elements as children of those in text/html.  
In Opera and WebKit, the script executes in

    data:text/xml,<iframe  
xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe>

and it hasn't caused us any problems AFAIK.

-- 
Simon Pieters
Opera Software

Received on Thursday, 21 August 2008 17:11:06 UTC