- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 21 Aug 2008 17:31:43 -0700
Simon Pieters wrote: > On Thu, 21 Aug 2008 23:54:44 +0200, Jonas Sicking <jonas at sicking.cc> wrote: > >> Here is the list of elements that we *don't* execute scripts inside of >> in firefox: >> >> http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsScriptElement.cpp#148 >> >> >> i.e. <iframe>, <noframes>, <noembed> >> >> Everywhere else we do execute the script. >> >> The reason these elements ended up at the list is in bugs >> https://bugzilla.mozilla.org/show_bug.cgi?id=5847 >> https://bugzilla.mozilla.org/show_bug.cgi?id=26669 > > iframe, noframes and noembed are parsed as CDATA elements > > > http://software.hixie.ch/utilities/js/live-dom-viewer/?%3C!DOCTYPE%20html%3E%0D%0A%3Ciframe%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E%3C%2Fiframe%3E > > > so there can't be any script elements as children of those in text/html. > In Opera and WebKit, the script executes in > > data:text/xml,<iframe > xmlns='http://www.w3.org/1999/xhtml'><script>alert(1)</script></iframe> > > and it hasn't caused us any problems AFAIK. Looks like firefox doesn't parse the contents of the <iframe> as markup either, but rather treat it as CDATA. Which makes me wonder why we ever look for <iframe>s in the parent chain :) I suspect it's just remnants from when things worked differently, the check was put in in 1999 :) But the effect is that even in XHTML, like the example you're providing above, scripts in iframes don't execute. This was not intentional though given that this code was put in in 1999, before we had xhtml support. / Jonas
Received on Thursday, 21 August 2008 17:31:43 UTC