[whatwg] form controls inside <object> elements from Ian Hickson on 2008-11-26 (public-whatwg-archive@w3.org from November 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 26 Nov 2008 12:41:46 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0811261236260.17414@hixie.dreamhostps.com>

On Thu, 25 Oct 2007, Vlad Alexander (xhtml.com) wrote:
>
> Request for the HTML 5 forms section:
> 
> Alternate content such as form controls should not participate in the 
> HTTP POST if the <object> can be rendered. In this example, if logo.gif 
> can be rendered, then data from <textarea> should not be send to the 
> server:
> 
> <object data="logo.gif" type="image/gif" width="180" height="60">
>         <textarea id="abc" name="abc" rows="5" cols="70">Hello World!</textarea>
> </object>
> 
> Here is a test page for the above example:
> http://misc.xstandard.com/mozilla/alternate-content1.asp
> 
> This causes problems for plug-ins loaded via the <object> element. In 
> this example, the same "name" is used for both the <object> and 
> <textarea> elements because most CMS expect only one field to be 
> submitted from a control.
> 
> <object name="abc" type="application/x-xstandard">
>         <param name="Value" value="some text" />
>         <textarea name="abc">more text</textarea>
> </object>
> 
> In the above example, data is sent to the server from both the plug-in 
> (correct) and the alternate content (incorrect).
> 
> IE and Opera support this. The HTML 5 spec should formally define this 
> behavior.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=335567
> http://bugs.webkit.org/show_bug.cgi?id=11803

IE's behavior isn't really one we can copy; they do this at the parser 
level, which is bad for all kinds of reasons. If they fix their parser, 
their handling of form controls here will start working.

It seems like this problem is easy to work around by simply not using 
proprietary plugins or, if one is forced to use them, by simply using 
controls with different names or differentiating them based on their 
position in the submitted data.

I haven't changed the spec, as there seems to be minimal interest in this 
issue and it has easy and simple workarounds. It's also not clear that it 
really is a bug, after all, there could easily be use cases for putting 
<input type=hidden> controls in the <object>, and one can even imagine an 
<object> showing an HTML page that pokes around the fallback content to 
set form controls accordingly.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 26 November 2008 04:41:46 UTC